Healthcare breaches have increased significantly in recent months, according to U.S. government data.
A list created by the U.S. Department of Health and Human Services (HHS) includes at least 125 electronic data breaches of healthcare organizations reported since the beginning of April. One notable example is the Yuma Regional Medical Center in Arizona; the hospital recently disclosed that it was struck by a ransomware attack that exposed the data of 700,000 individuals.
The Yuma breach was one of the largest disclosed during the last two and a half months, and the largest breach to be identified as a ransomware attack.
It was detected on April 25 and at first identified solely as a data breach before its confirmation as ransomware in letters to potential victims. According to the notification, individuals' Social Security numbers and other personal data were stolen. The facility's services remained mostly unaffected, however, thanks to backups and other emergency procedures.
While the healthcare industry has always been a target of threat actors and particularly ransomware groups because of a lack of cybersecurity funding, 2022 has already shown a sharp increase in the rate of breaches.
Between Jan. 1 and May 31, HHS listed 244 electronic data breaches of healthcare organizations with at least 500 victims on its site. The figure for that same range in 2021 was 137.
On the HHS website, it lists all active investigations from the past 24 months into healthcare breaches that affect at least 500 people. The site also provides the regulations requiring it and clarifies the reporting process.
"The regulations, developed by OCR, require health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals," the site states. "Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis."
The list of electronic data breaches ranges from local institutions that barely meet the 500 victim requirement to national and international breaches that exposed personal data of millions.
While the Yuma attack was the largest data breach in April, it has since been surpassed by breaches in California and Massachusetts disclosed in May.
The Partnership HealthPlan of California breach disclosed May 18 had 854,913 victims, and the breach of Shields Health Care Group in Quincy, Mass., had 2 million victims across more than 50 facilities. Shields Health Care said that personal data such as names, Social Security numbers, dates of birth, medical records, addresses and insurance information could have been accessed in the breach.
In total, there have been 21 instances since April 1 in which a healthcare organization suffered a data breach that affected at least 50,000 people. When the bar is raised to 100,000 victims, there were still 10 such breaches.
Healthcare breaches on the rise
Cybersecurity vendors have also seen increases of data breaches in the healthcare industry of late.
A 2021 study by Critical Insight using HHS info found that from 2018 to 2021, there was an 84% increase in the number of data breaches against healthcare organizations. When it came to the number of total victims, the figure jumped from 14 million in 2018 to 44.9 million in 2021.
Michael Hamilton, CISO at Critical Insight, discussed how the number of breaches is increasing in 2022, but the form of the attacks is changing. Some threat actors are merely stealing and ransoming data rather than encrypting entire networks and disrupting urgent medical care.
"One reason I think for the number of records being disclosed going up is there was this rhetorical change by the federal government, and they said, 'If you use ransomware against critical infrastructure, you're no longer a criminal -- now you're a terrorist,'" Hamilton said. "That gave a lot of people some pause. So if you're not going to screw up the network to extort a hospital, you just steal their records. That's why records theft is going up."
Critical Insight was not the only company to track this -- a May report by Sophos on ransomware in the healthcare industry also showed steep increases in attacks over the past two years.
The report was based off a survey of 5,600 IT professionals with familiarity with the healthcare industry. It found that "66% of healthcare organizations were hit by ransomware last year, up from 34% in 2020" and that healthcare had the highest increase in volume of cyber attacks among all sectors, at 69% year over year. Sophos said that one of the reasons there was an increase in 2021 was because of the prevalence of the Conti ransomware group, which is known to target healthcare organizations.
Heading into the second half of 2022, Chester Wisniewski, principal research scientist at Sophos, said that while Russian threat actors may have at first showed restraint from attacking the U.S., now, deep into Russia's invasion of Ukraine, "the gloves are off."
"I believe that there is no reason to exercise restraint any longer, and we might find healthcare organizations will become even more attractive targets, alongside critical infrastructure, as the relationship between Russia and Western Europe and North America continues to decline," Wisniewski said.
"Patriotic criminal gangs may decide to hit us in the infrastructure," Hamilton said. "I doubt that hospitals would be the first choice but because hospitals are so poorly protected they become kind of the default first choice if you want to poke another country, right in a place where it's going to make all the citizens pissed off. Making hospitals not operate is a real good way to do that, especially with an ongoing pandemic."
Another finding from Sophos was healthcare organizations paid the demanded ransoms in exchange for decryptors more often in 2021 (61% of the time) than in 2020 (34%). Healthcare was above all other sectors in that category, with the cross-sector average for ransom payment rate at 46% in 2021.
The report stated that healthcare organizations often paid because of how ransomware could rapidly plunge their functionality and business. According to Sophos, 94% of the industry members surveyed said "the most significant attack impacted their ability to operate," with 90% of private organizations reporting they lost business or revenue.
The Sophos report did provide more hopeful statistics when it came to the use of cyber insurance.
While the report found that cyber insurance is generally harder to acquire for healthcare organizations, the high standards put in place by the insurance providers are pushing those in healthcare to improve their cybersecurity. The report said that 97% of healthcare organizations with cyber insurance implemented security changes to improve their standing.
Sophos also found that once cyber insurance was bought by a healthcare organization, 97% of the time the policy paid out for at least some portion of a ransomware attack.
Hamilton did note that oftentimes cyber insurance is not affordable for healthcare organizations with small cybersecurity budgets, but the high cost of policies is fueling more spending on security controls.
"I'm seeing people recoil in horror about 100% increases in cyber insurance, and what this is doing is it's spurring more investment internally for controls," he said.