While the healthcare news of 2020 was dominated by headlines concerning COVID-19, there was another disturbing headline that went unnoticed to many. More large healthcare data breaches were reported in 2020 than in any other year according to the U.S. Department of Health and Human Services Office for Civil Rights. According to the Tenable Research 2020 Threat Landscape Report, the largest data breach leaked 22 billion records of personal information in 2020 belonged to the healthcare industry. An article published in the HIPAA journal in January, 2021, states that we are failing to flatten the curve when it comes to data breaches;
- More than 29 million healthcare records were breached in 2020
- Healthcare related data breaches occurred at a rate of 1.76 per day in the year.
- There was a 25% year-over-year increase in healthcare data breaches
- 642 healthcare data breaches of 500 or more records were reported in 2020
- A single breach involved more than 10 million records, while 63 saw more than 100,000 records breached
The cumulative story isn’t any better. The number of healthcare data breaches has doubled since 2014 and tripled since 2010. More than 3,700 breaches of 500 or more records have been reported since October 2009, with the total number of exposed records totaling over 78 million. The trendline is surging upwards for 2021 as well. A total of 56 breaches have occurred in the first two months of 2021 alone.
Data Breach Causes
The database breaches are attributed to three primary factors:
- Cyber attacks - hacking and IT incidents involving malicious hacking activity, often attributed to improper IT security efforts
- Unauthorized disclosure in which personal healthcare information is shared by internal parties or systems
- Loss or theft mostly involving the loss of endpoint devices
Bitglass stated more than 67% of all healthcare breaches were the result of cyberattacks, hacking and IT incidents, and 22% attributed to unauthorized disclosure. When attack methodologies were analyzed, 55% of all healthcare data breaches involved ransomware attacks. The next leading cause was phishing attacks (21%). Insecure databases came up a distant third.
Data Breach Victims
It isn’t just the number of breaches that is so alarming, it’s the size of the breaches themselves. Some of the largest breaches included Dental Care Alliance. An attack was detected on October 11, of last year that potentially comprised the payment card numbers of over 1 million patients. The attackers first gained access to the DCA systems on September 18 and the attack wasn’t remediated until October 13. In addition to payment card information, the culprits may have stolen patient names and contact information as well as medical information and insurance data. Patients were informed about the attack in early December and an estimated 10 percent of the patients later reported a breach of their account numbers.
Another large scale attack was reported by the Florida Orthopedic Institute on April 9 of 2020 that may have compromised the personal health information of more than 640,000 patients. This attack involved a ransomware attack. While internal IT was able to fully restore the encrypted data, an investigation showed that the data was potentially exfiltrated just prior to being encrypted. Data included patient names, dates of birth, Social Security numbers, and sensitive medical information. A class action lawsuit was later filed against FOI.
Last year also showed that personal patient information is still compromised the old fashioned way. The theft of a single laptop owned by a transportation vendor used by an Oregon based company called Health Share may have compromised the information of some 654,000 patients. At the time of the report, it was unknown whether the data was encrypted on the device. The potentially compromised data included Medicaid ID numbers as well as the names, contact information and health histories of the involved patients.
Why the Rise in Cyberattacks on the Healthcare Industry?
There are many reasons why the number of attacks have surged in the past 14 months. Like many industries, the dramatic transition to remote work implementations as well as the distraction of COVID on healthcare organizational leaders has contributed greatly. The main contributor for the rise of cyberattacks on the healthcare sector is simply money. Patient records are worth a lot of money on the open market due to the elaborate information they contain. While credit card numbers only garner a few dollars apiece, patient information can garner as much as $150 per record. Unfortunately, a compromised record costs the victimized organization an average of $499 last year, a 16% increase year-over-year.
Healthcare organizations have an obligation to protect their patient's data from potential data breaches. TitanHQ can help healthcare providers with a solution to prevent cyber attackers from accessing sensitive data. Contact TitanHQ today and learn how our award winning solutions will protect your business and patients.