The healthcare industry has become a prime target for cybercriminals, with data breaches and ransomware attacks costing organizations millions of dollars in damages. According to IBM's 2023 Cost of a Data Breach Report, the average cost of a healthcare breach in the U.S. has reached $10.93 million, an increase of over 53% in the past three years.
This trend poses a serious threat to patient privacy and the continuity of medical services. Healthcare organizations are particularly vulnerable due to expanding attack surfaces, a shortage of security talent, and the high value of their data.
Vulnerabilities in the healthcare industry
The healthcare industry's reliance on digital technologies, interconnected medical devices, and its large user base has made it a target for cybercriminals. Several factors contribute to the industry’s heightened vulnerability:
Expanding attack surfaces
The rapid digitization of healthcare services, from electronic health records (EHRs) to telehealth platforms, has expanded the attack surface, providing more entry points for threat actors to exploit.
Ecosystem of interconnected devices
The healthcare ecosystem has many connected medical devices, including patient monitoring systems and diagnostic equipment. When these devices are hacked, actors can often disrupt multiple systems.
Security talent shortage
The healthcare industry faces a growing shortage of cybersecurity professionals, creating challenges for implementing and maintaining security measures.
Valuable data trove
Healthcare organizations hold a wealth of personally identifiable information (PII) and protected health information (PHI), which are highly valuable on the dark web, making them prime targets for data breaches and ransomware attacks.
Increased negotiation
Due to the costs of downtime and regulatory pressures, healthcare organizations may be more inclined to negotiate with or pay ransoms to cybercriminals, further incentivizing these malicious actors.
Lack of security awareness
Many healthcare employees, from administrative staff to medical professionals, may lack the security training and identity hygiene practices to recognize and prevent social engineering attacks.
Read also: Healthcare data security threats to watch for
The biggest healthcare industry cyberattacks
HCA Healthcare
In July 2023, threat actors accessed and exfiltrated data from an external storage location that formatted emails and calendar reminders sent to patients at HCA Healthcare, a Tennessee-based hospital and clinic operator. The breach exposed the personal information of more than 11 million patients across 20 states, including names, email addresses, birth dates, and other PII. Multiple class-action lawsuits were filed, alleging that HCA failed to implement appropriate security measures, such as data encryption and proper data retention policies.
Medibank
In 2022, Russian-based hackers believed to have ties to the REvil ransomware gang targeted Medibank, a major Australian health insurance provider. The attackers stole the personal information of 9.7 million customers, including patient names, dates of birth, social security numbers, and in some cases, medical records. Medibank refused to pay the $10 million ransom, stating that there was a limited chance of ensuring the return of customer data and preventing its publication.
Cerebral
In 2023, telehealth organization Cerebral made headlines for a data breach involving the accidental exposure of protected health information (PHI) to third parties without patient consent. The breach, which affected 3.1 million patients, was caused by the installation of tracking pixels from major technology companies on Cerebral's applications, leading to the disclosure of names, dates of birth, contact information, self-assessment responses, treatment details, and other clinical data.
Banner Health
In 2016, hackers used malware to breach the payment processing system of Banner Health's food and beverage outlets, using it as a gateway to access the organization's network and obtain sensitive patient data, including social security numbers, dates of service, claims, and health insurance information. The attack cost Banner Health $6 million and led the organization to implement significant security upgrades, including compliance with the Payment Card Industry Data Security Standard (PCI DSS), enhanced security monitoring, and tighter cybersecurity practices.
Medical Informatics Engineering
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, experienced a breach where hackers remotely accessed the company's network using easily guessed credentials, ultimately reaching multiple files and databases. The attack affected 3.9 million patients, and MIE subsequently made significant investments in security measures, including hiring security personnel, implementing new policies and procedures, and deploying monitoring and prevention tools.
Advocate Medical Group
Between July and November 2013, Advocate Medical Group (AMG), a physicians' group with over 1,000 doctors, reported three separate data breaches. The first involved the theft of four desktop computers containing the records of nearly 4 million patients, the second was an unauthorized third party gaining access to the network of AMG's billing services provider, and the third was the theft of an unencrypted laptop containing the records of over 2,230 patients. The breaches compromised a wide range of sensitive information, including patient names, addresses, dates of birth, credit card numbers, and health insurance data.
Excellus Health Plan, Inc.
In 2015, Excellus Health Plan, Inc. reported that 10 million clients may have been exposed in a cyber attack dating back to 2013. The hackers gained access to administrative controls, rendering the encryption of the compromised data moot. Stolen information included names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data.
Premera Blue Cross
In 2014, hackers sent a phishing email to a Premera Blue Cross employee. The email contained a link to a document with malware, and once the employee downloaded the document, the hackers were able to access Premera's server and remain undetected for eight months. The breach affected 11 million patients. Premera Blue Cross subsequently paid $74 million to settle a class-action lawsuit, agreeing to improve its information security program, encrypt personal data, and strengthen specific security controls.
Anthem, Inc.
In 2015, Anthem (formerly WellPoint) disclosed that attackers had accessed its corporate database through a phishing email, gaining access to nearly 79 million records. The compromised information included names, addresses, social security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This breach is considered the largest healthcare industry cyber attack in history, and Anthem agreed to pay $115 million to resolve the resulting litigation.
Change Healthcare
In March 2024, the U.S. health insurance billing firm Change Healthcare fell victim to a ransomware attack by the notorious BlackCat/AlphV group. While the organization has not confirmed or denied the incident, it is believed that it paid a $22 million ransom to restore services and prevent further disruption. The attack, which impacted a third of Americans, resulted in disrupted payments to doctors and healthcare facilities, alongside difficulties in billing for and filling prescriptions.
MCNA Dental
In the fall of 2023, the U.S. dental insurance company MCNA Dental fell victim to the prolific ransomware group LockBit. The actors were able to infiltrate the organization's systems for 10 days without detection and exfiltrate 700 GB of data, including the PHI of 8.9 million clients. When the ransom of $10 million was not paid, LockBit published the stolen data on the dark web, resulting in 11 lawsuits across multiple states.
Read more: The biggest healthcare data breaches
Lessons learned and recommendations
The series of high-profile healthcare data breaches and ransomware attacks has shown the need for the industry to strengthen its cybersecurity posture. Lessons and recommendations include:
- Enhance data protection: Healthcare organizations must prioritize data encryption, secure data storage and disposal, and implement access controls to safeguard sensitive patient information.
- Strengthen identity and access management: Identity and access management practices, including multi-factor authentication and regular password updates, can help mitigate the risk of credential-based attacks.
- Implement comprehensive incident response plans: Developing and regularly testing incident response plans can help healthcare organizations respond quickly and effectively to cyber incidents, minimizing the impact on operations and patient care.
- Invest in employee security awareness training: Educating healthcare employees on security best practices, such as recognizing and reporting phishing attempts, can reduce the risk of social engineering attacks.
- Enhance third-party risk management: Carefully vetting and monitoring the security practices of third-party vendors and service providers can help prevent data breaches originating from these external sources.
- Adopt a proactive cybersecurity approach: Continuous vulnerability assessments, threat monitoring, and implementing advanced security technologies can help healthcare organizations stay ahead of changing cyber threats.
- Collaborate with cybersecurity experts: Partnering with cybersecurity professionals and industry organizations can provide healthcare organizations with the expertise and resources needed to strengthen their security posture.
- Prioritize regulatory compliance: Ensuring compliance with industry-specific regulations, like HIPAA, can help healthcare organizations mitigate the legal and financial consequences of data breaches.
FAQs
How can individuals and organizations protect themselves from cyberattacks?
- Strong passwords: Use complex and unique passwords for different accounts.
- Security software: Install and regularly update antivirus and antimalware software.
- Employee training: Educate employees about cybersecurity best practices.
- Regular backups: Regularly back up important data to a secure location.
How do cyber attacks impact healthcare operations and patient care?
- On average, cyberattacks take healthcare organizations offline for six hours, with smaller hospitals commonly being offline for 9 hours or more.
- 95% of identity theft happens because of stolen healthcare records.
What are the consequences of cyberattacks on healthcare organizations?
- 20% of hospitals that experienced a cyber attack reported an increase in patient mortality.
- Ransomware is the most disruptive attack type that leads to the most operational delays.
- 90% of healthcare organizations reported a loss in revenue after a cyber attack.
Learn more: HIPAA Compliant Email: The Definitive Guide
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.