More than a quarter of the US population has had their health data exposed in security breaches this year, with a rise in ransomware attacks and other hacking efforts affecting nearly 87 million patients, according to internet security firm Atlas VPN. Data of more than 45 million patients was compromised in the third quarter of 2023 alone, up from the 37 million patients affected in all of 2022.
Healthcare companies need to alert the US Department of Health and Human Services about healthcare data breaches that impact 500 people or more. Largely in line with population figures, the most affected states in 2023 so far are California and New York, which have 43 and 42 reported breaches respectively. Texas, Massachusetts, and Pennsylvania close the top five on the list. Vermont was the only state to avoid any attacks so far this year.
Why are hackers targeting hospitals?
The healthcare sector is a high-value target for cybercriminals since it harbors data with high profitability on the dark web. US healthcare organizations reportedly dedicate only 6% of their IT budgets to cyber security.
Of the 480 breaches reported in the first three quarters of 2023, up from 373 total cases reported in the whole of last year, the largest involved the hospital and clinic operator HCA Healthcare, in which hackers stole data on 11 million patients. Size-wise, that was followed by a breach on Managed Care of North America, where hackers accessed data for 8.9 million dental patients.
The US Department of Health and Human Services Office for Civil Rights currently has 898 breach cases under investigation, which have been reported in the last two years. Section 13402(e)(4) of the HITECH Act requires the agency’s secretary to publicly post a list of breaches of unsecured protected health information affecting 500 or more individuals.
In one cyber attack incident in August on a hospital run by California-based Prospect Medical Holdings, IT systems were interrupted across the US, forcing emergency wards and intensive care units in five states to be closed.
The cost of patient data breach is rising
An IBM report released in July indicated the average cost of data breaches across the global economy reached $4.45 million this year, reflecting a 15% increase over the last three years. Detection and escalation costs, which account for the largest portion of breach costs, soared 42% over the same period.
In the healthcare sector, the average cost of a breach increased by 8% to a record $10.9 million, according to IBM. In the MCNA incident, for instance, hackers demanded a $10 million ransom.
In most of these reported breaches, the companies took time to learn of the infiltrations. The breach on MCNA happened on Feb. 26 this year but was not discovered until March 4. The IBM security report indicates a large detection gap, with only a third of breaches being detected by a company’s security measures, 27% being disclosed by the attacker, and 40% being identified by a neutral third party.