Hospitals, pharmacies, care centers and other healthcare organizations are prime targets for malicious cyber-criminals. There are a few reasons for this: healthcare organizations deal with huge amounts of personal and private data, which can be hugely valuable for criminal groups.
Cybercriminals are also often lazy; healthcare organizations often cannot afford to invest in the latest and greatest security technologies, making them an easy target for every type of cyber-crime from gift-card scams to sophisticated ransomware.
Exacerbating these issues, the healthcare industry has been under immense pressures over the past two-years, dealing with unprecedented challenges during the course of a worldwide pandemic. Cybercriminals have cynically exploited the COVID-19 pandemic, individual actors, and malicious nation-state backed groups.
Let’s look at the 25 most alarming data breaches in the healthcare space, examining five key areas.
Key Healthcare Data Breach Statistics
In 2021, there were a number of major healthcare related data breaches, with over 40 million patient records compromised in the USA. This led to several warnings from the FBI about the risk of cyber-crime on the healthcare sector. In the wake of Russia’s invasion of Ukraine, the FBI has released further warnings of Russian hacks on US healthcare organizations.
A report on the impact of healthcare related data breaches from Protenus found that over 50million patient records where compromised last year, with a total of 905 incidents reported. This reflected a 44% rise in the number of hacking incidents with healthcare organizations.
Healthcare related data breaches affected over 22.6 million total patients in 2021, with the single largest data breach reported affecting more than 3 million individuals. This was the Accellion FTA breach, which we’ll cover in more detail later.
In total, there were over 600 reported healthcare breaches last year in the USA. As part of the HITECH act, the US government publishes a list of all reported healthcare breaches including 500 or more individuals.
Data breaches in healthcare have climbed for the past five years, rising a massive 42% in 2020 when the pandemic hit. Of the total amount of ransomware attacks reported in 2020, 60% specifically targeted the healthcare sector.
Which Sectors Are Most At Risk From Healthcare Related Cyber-Attacks?
A survey of one hundred hospital IT executives revealed that small and mid-sized hospitals are most at risk of cyber-attack, with 48% of executives revealing that their organization had been forced to shut down in the last six months due to a cyber-attack.
The survey revealed that for larger hospitals (those with 1,000 or more beds) the average time spent shut down was over 6 hours, at a cost of $21,500 USD per hour. For smaller hospitals however, the shutdowns regularly lasted over 9 hours, with an eye-watering cost of $47,500 USD per hour. Clearly, smaller healthcare organizations are being hit hardest by cyber-attacks. Smaller organizations tend to have smaller budgets for cybersecurity, making them a prime target for malicious actors.
A report from cybersecurity firm Tenable also revealed that medical suppliers were a frequent target by cybercriminals. Third party organizations are used to gain unauthorized access to healthcare systems, circumventing internal protections. 60% of healthcare data breaches in 2021 were reportedly caused by third-party vendors.
Outside of hospitals, pharmaceutical companies are suffering from a major rise in data breaches, with 53% caused by malicious activities. Care homes too have become a very high value target for cyber-criminals due to low security budgets and high value personal data.
In Europe, healthcare data breaches related to cyber-crime also continues to increase. The UK was home to one of the most high-profile data breaches with the WannaCry Ransomware attack in 2017, which led to a major increase in cybersecurity controls, with the NCSC mitigating 777 incidents in the last 12 months. The German government reported a doubling of healthcare related cyber-attacks in 2020, with France reporting 27 breaches last year alone.
What Cyber Threats Is Healthcare Most At Risk Of?
The cyber-attack healthcare organizations are most at risk of is ransomware. Between July and September last year alone researchers found 68 healthcare ransomware attacks had taken place around the world. 60% of healthcare ransomware attacks took place in the United States, with medical clinics being the most frequently attacked.
A report from Sophos found that 34% healthcare organizations were reportedly affected by ransomware globally in 2020. Of that number, 65% of healthcare organizations reported that cyber-criminals had been successful in encrypting data. A further 34% paid the ransom in order to get their data back.
The average cost in healthcare for remediating a ransomware is $1.27 million USD, with some studies reporting the total average cost for a ransomware attack in healthcare as being $4.6 million per incident.
The healthcare sector has seen a 45% increase in ransomware attacks over 2021. Worryingly, 41% of healthcare organizations who have not experienced a ransomware attack believe that they are likely to be hit in the future.
Ransomware attacks on healthcare can have more tragic consequences. Shut downs in hospital data bases and even equipment caused by ransomware can and have led to patient deaths, which are often wholly preventable, according to a recent survey.
Phishing is one of the most common cyber-threats across the board, with 81% of organizations affected by phishing last year. Healthcare is no exception, and phishing attacks are one of the most common attacks in the healthcare sector. Phishing can range from mass email campaigns designed to trick employees into giving up passwords, to highly targeted campaigns designed to illicit fake invoice payments.
During the height of the COVID-19 pandemic, phishing attacks rose by a staggering 220%.
A subset of phishing campaigns is Business Email Compromise (BEC), in which attackers aim to compromise email accounts in order to send out even more realistic phishing scams. Known as the ‘26-billion-dollar scam’by the FBI, BEC attacks can be highly effective in the healthcare environment.
Email related cyber-crime, including phishing attacks and business email compromise in the healthcare industry rose by 42% last year.
The Cost Of Healthcare Data Breaches
Healthcare related data breaches cost a total of $21 billion in 2020. A recent report from IBM found that the average cost of a healthcare data breach was $9.23 million USD, an increase of $2 million USD from the previous year.
The cost of a healthcare data breach is often far more than in other industries, due to the involvement of sensitive personally identifiable information (PII) and medical records. This can be expensive to recover and can lead to compliance fines if not properly maintained. The average cost per record for PII data is $180, far above the average cost $161 per record for all other types of data. Stolen PII on its own has been estimated to have cost the US healthcare industry up to $7 billion USD last year.
It has been estimated that over the next three years healthcare related data breaches will cost healthcare companies a total of $6 trillion USD. To help combat this, healthcare organizations are spending a lot of money to bolster cybersecurity defenses. Healthcare organizations will spend $125 billion USD on cybersecurity from 2020 to 2025.
The Three Biggest Cybersecurity Attacks In 2021
Accellion Data Breach
Accellion (now known as Kiteworks), is an American technology provider that suffered a data breach in late 2020 when it’s 20-year-old File Transfer Appliance system was hacked with a zero-day exploit. The breachwas the single largest healthcare-related hack in 2021, affecting over 3.51 million people.
This attack had wide-ranging repercussions, affecting at least a hundred different organizations, but the healthcare sector became one of its main victims. At least 10 different healthcare organizations suffered data breaches, including hospitals, medical schools and clinics.
Florida Healthy Kids Corporation
In February 2021, a Florida based healthcare facility found that it’s web hosting provider had failed to patch over seven years’ worth of vulnerabilities, affecting over 3.5 million patients, making it one of the biggest healthcare related data breaches of all time.
Unauthorized users gained access to the unsecured system and tampered with the data of thousands of applicants to the facility.
20/20 Eye Care Network
In June 2021, another Florida-based company was the victim of a data breach. This involved a breach of Amazon AWS web servers, giving the cybercriminals access to social security numbers, identification numbers, dates of birth and health insurance information––a major security breach.
This attack reportedly affected over three million people, and the organization affected faced a lawsuit as a result of the data loss.
As well as the healthcare breaches affecting the most people, there have been a number of other high-profile healthcare attacks over the past year. One of the most well-publicized was the ransomware attack on Planned Parenthood in Los Angeles which saw the records of 400,000 people breached.
Information access included personal addresses, insurance information and highly sensitive medical records.
Preventing Healthcare Related Data Breaches
There are a number of steps healthcare organizations should take to prevent data breaches.
We highly recommend healthcare organizations implement strong email security solutions; this can help to prevent the delivery of phishing attacks and business email compromise. We also recommend the use of endpoint security to prevent viruses and malware attacks, as well as ensuring strong web security is in place.
Security awareness training can also be an important tool to help improve awareness around security issues and how to limit the risk of cyber-attacks in a healthcare setting.
Many experts are also recommending healthcare organizations implement Zero Trust Network Architecture. This is an important step to help limit the risk of supply chain and vendor attacks affecting healthcare organizations.
Read the guides below for more information on how healthcare organizations can prevent cyber-attacks.