The healthcare industry has become a prime target for cybercriminals, with data breaches and ransomware attacks costing organizations millions of dollars in damages. According to IBM's 2023 Cost of a Data Breach Report, the average cost of a healthcare breach in the U.S. has reached $10.93 million, an increase of over 53% in the past three years.
This trend poses a serious threat to patient privacy and the continuity of medical services. Healthcare organizations are particularly vulnerable due to expanding attack surfaces, a shortage of security talent, and the high value of their data.
The healthcare industry's reliance on digital technologies, interconnected medical devices, and its large user base has made it a target for cybercriminals. Several factors contribute to the industry’s heightened vulnerability:
The rapid digitization of healthcare services, from electronic health records (EHRs) to telehealth platforms, has expanded the attack surface, providing more entry points for threat actors to exploit.
The healthcare ecosystem has many connected medical devices, including patient monitoring systems and diagnostic equipment. When these devices are hacked, actors can often disrupt multiple systems.
The healthcare industry faces a growing shortage of cybersecurity professionals, creating challenges for implementing and maintaining security measures.
Healthcare organizations hold a wealth of personally identifiable information (PII) and protected health information (PHI), which are highly valuable on the dark web, making them prime targets for data breaches and ransomware attacks.
Due to the costs of downtime and regulatory pressures, healthcare organizations may be more inclined to negotiate with or pay ransoms to cybercriminals, further incentivizing these malicious actors.
Many healthcare employees, from administrative staff to medical professionals, may lack the security training and identity hygiene practices to recognize and prevent social engineering attacks.
Read also: Healthcare data security threats to watch for
In July 2023, threat actors accessed and exfiltrated data from an external storage location that formatted emails and calendar reminders sent to patients at HCA Healthcare, a Tennessee-based hospital and clinic operator. The breach exposed the personal information of more than 11 million patients across 20 states, including names, email addresses, birth dates, and other PII. Multiple class-action lawsuits were filed, alleging that HCA failed to implement appropriate security measures, such as data encryption and proper data retention policies.
In 2022, Russian-based hackers believed to have ties to the REvil ransomware gang targeted Medibank, a major Australian health insurance provider. The attackers stole the personal information of 9.7 million customers, including patient names, dates of birth, social security numbers, and in some cases, medical records. Medibank refused to pay the $10 million ransom, stating that there was a limited chance of ensuring the return of customer data and preventing its publication.
In 2023, telehealth organization Cerebral made headlines for a data breach involving the accidental exposure of protected health information (PHI) to third parties without patient consent. The breach, which affected 3.1 million patients, was caused by the installation of tracking pixels from major technology companies on Cerebral's applications, leading to the disclosure of names, dates of birth, contact information, self-assessment responses, treatment details, and other clinical data.
In 2016, hackers used malware to breach the payment processing system of Banner Health's food and beverage outlets, using it as a gateway to access the organization's network and obtain sensitive patient data, including social security numbers, dates of service, claims, and health insurance information. The attack cost Banner Health $6 million and led the organization to implement significant security upgrades, including compliance with the Payment Card Industry Data Security Standard (PCI DSS), enhanced security monitoring, and tighter cybersecurity practices.
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, experienced a breach where hackers remotely accessed the company's network using easily guessed credentials, ultimately reaching multiple files and databases. The attack affected 3.9 million patients, and MIE subsequently made significant investments in security measures, including hiring security personnel, implementing new policies and procedures, and deploying monitoring and prevention tools.
Between July and November 2013, Advocate Medical Group (AMG), a physicians' group with over 1,000 doctors, reported three separate data breaches. The first involved the theft of four desktop computers containing the records of nearly 4 million patients, the second was an unauthorized third party gaining access to the network of AMG's billing services provider, and the third was the theft of an unencrypted laptop containing the records of over 2,230 patients. The breaches compromised a wide range of sensitive information, including patient names, addresses, dates of birth, credit card numbers, and health insurance data.
In 2015, Excellus Health Plan, Inc. reported that 10 million clients may have been exposed in a cyber attack dating back to 2013. The hackers gained access to administrative controls, rendering the encryption of the compromised data moot. Stolen information included names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data.
In 2014, hackers sent a phishing email to a Premera Blue Cross employee. The email contained a link to a document with malware, and once the employee downloaded the document, the hackers were able to access Premera's server and remain undetected for eight months. The breach affected 11 million patients. Premera Blue Cross subsequently paid $74 million to settle a class-action lawsuit, agreeing to improve its information security program, encrypt personal data, and strengthen specific security controls.
In 2015, Anthem (formerly WellPoint) disclosed that attackers had accessed its corporate database through a phishing email, gaining access to nearly 79 million records. The compromised information included names, addresses, social security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This breach is considered the largest healthcare industry cyber attack in history, and Anthem agreed to pay $115 million to resolve the resulting litigation.
In March 2024, the U.S. health insurance billing firm Change Healthcare fell victim to a ransomware attack by the notorious BlackCat/AlphV group. While the organization has not confirmed or denied the incident, it is believed that it paid a $22 million ransom to restore services and prevent further disruption. The attack, which impacted a third of Americans, resulted in disrupted payments to doctors and healthcare facilities, alongside difficulties in billing for and filling prescriptions.
In the fall of 2023, the U.S. dental insurance company MCNA Dental fell victim to the prolific ransomware group LockBit. The actors were able to infiltrate the organization's systems for 10 days without detection and exfiltrate 700 GB of data, including the PHI of 8.9 million clients. When the ransom of $10 million was not paid, LockBit published the stolen data on the dark web, resulting in 11 lawsuits across multiple states.
Read more: The biggest healthcare data breaches
The series of high-profile healthcare data breaches and ransomware attacks has shown the need for the industry to strengthen its cybersecurity posture. Lessons and recommendations include:
Learn more: HIPAA Compliant Email: The Definitive Guide