A record number of health data breaches resulted in the medical information of more than 144 million Americans being stolen or exposed last year, according to a USA TODAY analysis of Health and Human Services data.
After breaking the record in 2023; most serious violation In February, a ransomware attack targeted Change Healthcare, the nation’s largest healthcare payment system, owned by UnitedHealth Group. The company handles one-third of all patient records and processes 15 billion medical transactions annually, according to the HHS letter.
The COVID-19 pandemic has accelerated the use of remote and third-party technologies and made the healthcare ecosystem more interconnected, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. He said it has become vulnerable to cyber attacks. These technologies not only make it possible to provide care to patients wherever they are, but they also give hackers widespread access to healthcare systems and records.
Since 2019, data breaches targeting third-party vendors contracted by hospitals have more than tripled, growing significantly faster than attacks directly targeting traditional healthcare providers. According to an analysis by USA TODAY. HHS data showed that.
“The bad guys figured it out,” Rizzi said. “They realized, ‘Why would he need to hack 1,000 hospitals when he could hack one common business associate and get all the data?'”
Cyberattacks against hospitals disrupt patient care and pose risks to patient safety. Surgery will be canceled or rescheduled. Patients and ambulances will be diverted. The patient’s protected health information and personally identifiable information will be exposed. When clearinghouses and healthcare payment systems are targeted, billing and payment problems can last for months.
“It’s going to get worse,” said Errol Weiss, chief security officer at the Center for Health Information Sharing and Analysis.
Has your health information been exposed?
federal law need Healthcare organizations must report security breaches that compromise patient information to Health and Human Services. Find out if your health information has been compromised by searching by company name, type of breach, or company location. If you don’t see any searchable databases, click click here.
What are the main causes of healthcare data breaches?
Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information Management Systems Association, said that while cyberattacks are not a problem unique to healthcare, the abundance of economically valuable personal information makes the industry more vulnerable. He said it has become a major target.
what will you do:Here are steps to take if your medical information is stolen.
A USA TODAY analysis found that hacking incidents are the most common type of health data breach, accounting for more than half of incidents going back to 2009.
Ransomware attacks are becoming increasingly common, Weiss said, with cybercriminals demanding large sums of money to regain access to sensitive medical data. According to a 2023 study, the healthcare industry is more affected by ransomware attacks than any other critical infrastructure sector. internet crime reporting According to the FBI.
Compared to other fields, “healthcare tends to pay more because ultimately lives are at stake,” Weiss said.
“That’s a self-serving prophecy,” he said. “We are seeing a very predictable development in the increase in the number of attacks as organizations pay ransoms.”
Rigi said not all hospitals and medical institutions have enough money, technology or staff to protect themselves.
“The healthcare sector is woefully behind in terms of cybersecurity and information security resources,” Weiss said.
“We’re really playing catch-up.”
What are the biggest healthcare data breaches?
The Change ransomware attack was preceded by the largest healthcare data breach in history in 2015. The attack on health insurance giant Anthem, now named Elevance Health, compromised the protected health information of approximately 79 million Americans.
Three years later, Anthem agreed to pay $16 million to HHS’s Office of Civil Rights. biggest settlement Of that kind.
In 2023, HCA Healthcare, which operates 182 hospitals and thousands of medical facilities in 20 states, was the third largest company overall and experienced the largest healthcare data breach of the year. This attack compromised the personal information of more than 11 million patients.
Although the incident involved an external storage location, no sensitive information such as clinical information, payment details, passwords or Social Security numbers was compromised, a spokeswoman for the Nashville, Tenn.-based company said. Harlow Summerford issued a statement via email.
Asked if HCA plans to strengthen its security posture, Summerford said the company does not publicly discuss the details of its security measures as part of its overall protection strategy.
Tom Leary, senior vice president and director of government relations for the Healthcare Information Management Systems Association, said the Change Healthcare scandal has prompted lawmakers and regulators to take steps to protect health care providers and ensure financial stability. He said that there is an increasing focus on proposing measures to address the issue.
Leary said some hospitals and healthcare organizations are also increasing their cybersecurity budgets to better protect against future attacks, citing the 2023 crisis as an example. Cyber security investigation report.
“This is a shared responsibility,” Rizzi said. “Hospitals understand that we must play a role in being prepared to defend and respond to attacks, but that alone will not solve the healthcare sector cyber crisis.”
