Health care data breaches are surging
Hackers’ latest tactics put your info at risk
In November 2021, Southern Ohio Medical Center diverted ambulances and canceled appointments after hackers gained access to the hospital’s computer systems.
The two-day cyberattack temporarily took down the mid-sized nonprofit’s electronic medical records and disrupted units such as cardiovascular catherization, cancer care, outpatient surgeries and rehabilitation. In all, the hospital reported the hackers breached records of more than 15,000 individuals.
The attack is an example of a growing trend of hackers seeking to disrupt health care or compromise the medical and personal records of tens of millions of people every year in search of profit. Since 2021, one gang demanded and extracted over $100 million in ransom from hospitals and other businesses.
The number of attacks has surged since 2019 with organized hackers, often located overseas, infiltrating the computer systems of health providers, locking up critical files and disrupting care. The trend underscores why hospitals and health companies must upgrade systems to repel these attacks that can delay care, jeopardize patient safety and cost millions to recover from, experts say.
Meanwhile, who hackers are going after is changing. No longer content with stealing data from large companies, attackers are increasingly targeting large metro and small rural hospitals as well as third-party suppliers who bill, mail or provide outsourced services for
large health companies.
A database maintained by the U.S. Department of Health and Human Services shows health care’s most recognizable brands have had significant data breaches – some repeatedly.
The companies whose data breaches have affected the most people since 2010 – more than 122 million people – are Anthem, Optum, Premera Blue Cross, Community Health Systems and LabCorp, according to a USA TODAY analysis of HHS data.
Blue Cross Blue Shield affiliates reported the most data breaches – 26 – since 2010, the analysis showed. Kaiser Foundation Health Plan had 20 breaches, followed by Walgreen Co. at 18, and Aetna and Humana both with 17.
Anthem, which has been renamed Elevance Health, operates Blue Cross Blue Shield health plans in 14 states and has reported 11 data breaches since 2010. Anthem was the target of the largest-ever health breach in 2015 where hackers accessed names, Social security and medical identification numbers, addresses, dates of birth, emails and employment information of 78.8 million people.
Eight of Anthem’s 11 data breaches came after the large 2015 cyberattack, and all affected far fewer individuals. The company has since paid millions of dollars to the federal government for potential violations of HIPAA protections, as well as millions more to settle with states.
“It’s definitely a crime of opportunity,” said Hannah Neprash, an assistant professor of health policy and management at the University of Minnesota.
A surge in cases during the COVID-19 pandemic “was no coincidence,” she said. “It was very much a conscious decision on the part of ransomware actors to take advantage of the fact that the health care system was pretty overwhelmed.”
The FBI has sought to counter the attacks carried out by international thieves and has had some success. Still, the responsibility for repelling the attacks rests with hospitals, health insurers and other health entities who must build robust defenses.
‘Targets who can’t fight back’
Health care was slow to adopt computerized records. But a push to switch from pen and paper records to computerized systems accelerated after a federal stimulus bill passed in 2009, which provided lucrative payments to hospitals and other health-related entities that digitalized patient records.
As of 2021, 96% of conventional hospitals had electronic heath records, though rates were slightly lower for psychiatric and other specialty hospitals, according to HealthIT.gov.
The switch created a rich target for hackers, experts say.
The federal government’s efforts “created a tremendous amount of cyber risk exposure with all this technology that was deployed,” said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk. “So now we’re left with the responsibility to protect the networks and technology that we were incentivized to implement by the federal government.”
The nature of these attacks has also changed.
A decade ago, hackers were more likely to steal personal data, such as Social Security or credit card numbers, and sell that information on the black market. Now, they are increasingly demanding ransom payments from hospitals and other health providers.
A study published in JAMA Health Forum found this type of data breach called ransomware more than doubled from 2016 through 2021, jumping from 43 to 91 and exposing personal health information of 42 million people. Almost half of those attacks disrupted health care services when electronic systems were shut down, appointments canceled or ambulances diverted.
The hackers are savvy and do not discriminate, with some attacking large, seemingly lucrative health organizations while others target smaller hospitals and health companies who may be easier to go after.
Hackers cause 80% of health data breaches
Government regulators who enforce data privacy laws have been overwhelmed by the surge in cases.
The HHS Office of Civil Rights, which oversees how companies protect health data, had a 69% jump in cases since 2017. Of the more than 51,000 complaints the agency fielded in 2022, two-thirds involved violations of health information privacy and security laws.
The workload increased so much that the agency last month announced it has reorganized functions and created a division called Health Information Privacy, Data, and Cybersecurity. OCR Director Melanie Fontes Rainer said the reorganization should improve the the agency’s “ability to effectively respond to complaints.”
The agency’s funding has been flat for the past two decades, which has challenged the agency to keep pace with higher work volumes, said Rachel Seeger, a spokeswoman for the Office of Civil Rights.
“While settlements have been a source of funds in the past, this amount is dwindling as the civil monetary penalties were capped in the Trump administration, something for which OCR is working on a legislative fix,” she said.
Health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, must notify the Department of Health and Human Services and individuals when their health information is breached. The agency then investigates to learn the scope of the breach and whether the entities properly safeguarded the information. If not, they could face big fines.
The agency publicly reports data breaches of protected health information affecting 500 or more people. Those large breaches increased from 663 in 2020 to 714 in 2021. Hacking accounts for 80% of the large breaches the federal agency has received. Other data breaches are the result of health entity miscues such as improper disposal of data, unauthorized access or theft of records.
The agency’s reorganization aims to streamline cases and assign investigators to their areas of expertise. Under the old structure, cases could take years to resolve.
When investigating a data breach, regulators evaluate factors such as the size of the data breach and any physical or financial harm from such incidents, said Nick Heesters, senior adviser for cybersecurity at the HHS Office of Civil Rights. A provider with repeated data breaches might face a more significant fine.
After the attack on Anthem in 2015 that exposed the electronic health information of 78.8 million people, the insurer
“It was very much a conscious decision on the part of ransomware actors to take advantage of the fact that the health care system was pretty overwhelmed.”
Hannah Neprash, assistant professor of health policy and management at the University of Minnesota, on the surge in breaches during the COVID-19 pandemic
paid $16 million to HHS Office for Civil Rights and agreed to take corrective action to settle potential HIPAA violations. The company also paid $39.5 million to settle claims with attorneys general in 43 states.
In a statement, parent company Elevance Health said the company “takes the security of its data and the personal information of consumers seriously and is committed to safeguarding PHI (protected health information) and PII (personally identifiable information), while adapting to the evolving health care information security environment.”
What’s being done to protect data?
In January, the Justice Department announced the takedown of the Hive ransomware group that had targeted more than 1,500 victims, including hospitals, schools and businesses. One hospital had to use pen and paper records and halted new admissions during the COVID-19 pandemic
By entering Hive’s computer systems, authorities captured encryption keys and gave them to 300 entities that were under attack. The Hive group had already extracted more than $100 million in ransom from victims around the globe, but a federal campaign halted its attempt to extort an additional $130 million, officials said.
The Justice Department did not announce any arrests nor did it reveal the location of the individuals behind the ransomware attacks.
In Anthem’s 2015 attack, charges are pending against Fujie Wang, 36, of Shenzhen, China, and an unnamed accomplice. They were charged in 2019 but neither has ever appeared in court, according to a spokeswoman for the U.S. Attorney’s Office in Indianapolis. Wang remains on the FBI’s most wanted list.