Data breaches in healthcare: How many have been exposed?
A record 133 million individuals were potentially affected by healthcare data breaches reported in 2023, more than double the previous year. The number is equivalent to almost 40% of the U.S. population.
The number of reported breaches affecting 500 or more individuals also hit a new high of 739 in 2023 compared with 720 in 2022, according to the latest data posted to the Health and Human Services Department's Office for Civil Rights breach portal.
This year is already off to an ominous start. As of Feb. 21, about 11.6 million people had their data exposed in 2024 from 79 reported breaches affecting 500 or more individuals, according to the OCR portal's most recent update. The number doesn’t include the Change Healthcare and Lurie Children’s breaches.
Not every breach stems from a cyberattack, such as when a bad actor holds information ransom or steals it to sell. An accidental exposure of protected health information by a third-party vendor can also be classified as a breach, as can a physical theft like a laptop being stolen. Still, roughly 80% of the data breaches last year were from a hacking or IT incident. Breach-related network outages aren't always directly the result of hackers, either, but from companies disconnecting systems until detected threats are contained.
Why have threats against health organizations worsened?
Cliff Steinhauer, director of information security and engagement at the nonprofit organization National Cybersecurity Alliance, said hackers’ attitudes have gotten worse and the healthcare industry has suffered.
“We have seen the ethics of the hackers really reach new lows,” Steinhauer said. “There is no organization that they won't attack when it comes to innocent people. We're talking about children's hospitals, kids’ cancer organizations, it doesn't seem to matter anymore. They used to not attack hospitals, but now there’s really nothing holding them back.”
John Riggi, AHA national adviser for cybersecurity and risk, previously told Modern Healthcare third-party vendors and tech companies operating in the U.S. healthcare system are becoming targets for hacking groups or criminal organizations based primarily in Russia, China, North Korea and Iran. Change Healthcare blamed its incident on a foreign government-associated actor.
How much have health systems spent on cybersecurity?
Until recently, many healthcare organizations have not given information security executives the resources and staffing necessary to build out better cybersecurity programs, experts said.
A December survey of 100 health system chief information security officers conducted by executive search firm WittKieffer found half of organizations spent between 5% and 9% of their IT or other departmental budgets on information security.
But even these results represent a step in the right direction, said Zachary Durst, an information security consultant at WittKieffer.
“About 20% of your IT budget should be on cybersecurity depending on the metric you use,” Durst said. “If you went back a few years, those numbers wouldn't be as high as they are even today.”
Only 4% of respondents said their organizations spent more than 15% of their IT budgets on cybersecurity.
Leaders are starting to recognize the need for better defenses, however. Health system C-Suite executives are making cybersecurity their top IT budget priority this year, according to a November survey from consulting company Guidehouse.
Many companies will still face challenges, Steinhauer said.
“If you're a smaller organization, you may not have the resources to invest in establishing a robust cybersecurity program,” he said.
How has the government responded to increased threats?
Several departments within the federal government have offered help to the healthcare industry. In October, HHS and the Cybersecurity and Infrastructure Security Agency released a cybersecurity toolkit for healthcare organizations. A few months later, HHS issued a healthcare-specific guidance and a voluntary performance goal framework.
The Federal Bureau of Investigation, CISA and HHS on Tuesday shared an updated advisory regarding BlackCat ransomware and its effect on the healthcare sector.
Can the attack on Change Healthcare lead to change?
The Change Healthcare cybersecurity incident should help more organizations understand no one is immune to this problem, experts said. When a company the size of Change Healthcare, which manages 15 billion transactions a year, gets hacked, it will force many healthcare organizations to look at their own cybersecurity protocols, said Nicholas Giannas, principal at WittKieffer.
Steinhauer said victimized organizations need to be more transparent about how these incidents occur and what people can learn from their mistakes.
Still, he's not hopeful the Change Healthcare cyberattack will spur an industry-wide transformation in terms of attitudes or resources.
“A lot of security people that have been doing this for a long time are pessimistic. Unfortunately, I'm starting to cross over into that side of things,” Steinhauer said. “I would love to see real progress made but it’s been really slow.”
Correction: An earlier version of this article incorrectly said CISA, FBI, HHS issued the advisory regarding BlackCat ransomware Wednesday.