A record number of health data breaches resulted in the medical information of more than 144 million Americans being stolen or exposed last year, according to a USA TODAY analysis of Health and Human Services data.
After breaking records in 2023, the most significant breach occurred in February, with a ransomware attack targeting Change Healthcare, the nation's largest healthcare payment system owned by UnitedHealth Group. The company handles one-third of all patient records and processes 15 billion medical transactions annually, according to the HHS letter.
The COVID-19 pandemic has accelerated the use of remote and third-party technologies and made the healthcare ecosystem more interconnected, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. He said it has become vulnerable to cyber attacks. These technologies not only make it possible to provide care to patients wherever they are, but they also give hackers widespread access to healthcare systems and records.
Since 2019, data breaches targeting third-party vendors contracted with hospitals have more than tripled, and attacks directly targeting traditional health care providers, according to a USA TODAY analysis of HHS data. It was shown that the increase was at a significantly faster pace.
“The bad guys figured it out,” Rizzi said. “They realized, 'Why would he need to hack 1,000 hospitals when he could hack one common business associate and get all the data?'”
Cyberattacks against hospitals disrupt patient care and pose risks to patient safety. Surgery will be canceled or rescheduled. Patients and ambulances will be diverted. The patient's protected health information and personally identifiable information will be exposed. When clearinghouses and healthcare payment systems are targeted, billing and payment problems can last for months.
“It's going to get worse,” said Errol Weiss, chief security officer at the Center for Health Information Sharing and Analysis.
Has your health information been exposed?
Federal law requires health care providers to report to Health and Human Services any security breaches that compromise patient information. Find out if your health information has been compromised by searching by company name, type of breach, or company location. If you don't see a searchable database, click here.
What are the main causes of healthcare data breaches?
Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information Management Systems Association, said that while cyberattacks are not a problem unique to healthcare, the abundance of economically valuable personal information makes the industry more vulnerable. He said it has become a major target.
A USA TODAY analysis found that hacking incidents are the most common type of health data breach, accounting for more than half of incidents dating back to 2009.
Ransomware attacks are becoming increasingly common, Weiss said, with cybercriminals demanding large sums of money to regain access to sensitive medical data. According to the FBI's 2023 Internet Crime Report, the healthcare industry is more affected by ransomware attacks than any other critical infrastructure sector.
Compared to other fields, “healthcare tends to pay more because ultimately lives are at stake,” Weiss said.
“That's a self-serving prophecy,” he said. “We are seeing a very predictable development in the increase in the number of attacks as organizations pay ransoms.”
Rigi said not all hospitals and medical institutions have enough money, technology or staff to protect themselves.
“The healthcare sector is woefully behind when it comes to cybersecurity and information security resources,” Weiss said.
“We're really playing catch-up.”
What are the biggest healthcare data breaches?
The Change ransomware attack was preceded by the largest healthcare data breach in history in 2015. The attack on health insurance giant Anthem, now named Elevance Health, compromised the protected health information of approximately 79 million Americans.
After three years, Anthem agreed to pay $16 million to the HHS Office of Civil Rights, the largest settlement of its kind.
In 2023, HCA Healthcare, which operates 182 hospitals and thousands of medical facilities in 20 states, was the third largest company overall and experienced the largest healthcare data breach of the year. This attack compromised the personal information of more than 11 million patients.
Although the incident involved an external storage location, no sensitive information such as clinical information, payment details, passwords or Social Security numbers was compromised, a spokeswoman for the Nashville, Tenn.-based company said. Harlow Summerford issued a statement via email.
Asked if HCA plans to strengthen its security posture, Summerford said the company does not publicly discuss the details of its security measures as part of its overall protection strategy.
Tom Leary, senior vice president and director of government relations for the Healthcare Information Management Systems Association, said the Change Healthcare scandal has prompted lawmakers and regulators to take action to protect health care providers and ensure financial stability. He said that there is an increasing focus on proposing measures to address the issue.
Citing the 2023 Cybersecurity Survey Report, Leary said some hospitals and medical institutions are also increasing their cybersecurity budgets to better protect against future attacks.
“This is a shared responsibility,” Rizzi said. “Hospitals understand that we must play a role in being prepared to defend and respond to attacks, but that alone will not solve the healthcare sector cyber crisis.”
