Industry Specific , Targeting Healthcare , Video

Healthcare Data Breaches Doubled in 3 Years: Here's Why

Targeting of Providers, Plans and Partners Endangers Patients, 'Isn't Going Away'
Since 2009, healthcare breaches have affected the personal information of 370 million people - more than the entire U.S. population.

Federal statistics show that the number of individuals affected by the more than 5,000 major health data breaches since 2009 exceeds the total U.S. population, indicating that some people likely have been the unfortunate victims of more than one incident.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

And the situation seems to be growing worse. In fact, in just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And the nation is on track for more than 700 major health data security incidents this year.

As of Nov. 10, the Department of Health and Human Services' "wall of shame" website that tracks health data breaches affecting 500 or more individuals shows 595 breaches posted so far in 2022, affecting more than 40 million individuals.

"Every industry and every subindustry in healthcare is seeing an increase in attacks. This isn't going away."
– Taylor Lehman, Google Cloud

Hacking incidents top the list as the most common type of health data breach to be reported to regulators in recent years, and phishing scams, ransomware attacks and data extortion attempts affect tens of millions of individuals every year.

"Every industry and every subindustry in healthcare is seeing an increase in attacks," says Taylor Lehman, director of the Office of the CISO for Google Cloud. "We're seeing increased attacks on medical devices. We're seeing increasing attacks on life sciences organizations. We're seeing it for a variety of reasons. This isn't going away."

Healthcare breaches have nearly doubled since 2018, according to federal reports. (Source: Department of Health and Human Services)

Potentially Deadly Impact on Patient Care

Many of these incidents don't just compromise the privacy and security of individuals' protected health information. Some result in significant IT system disruptions that interfere with patient care, potentially posing serious safety concerns.

Just ask Kelley Parsi, an Iowa mother whose 3-year-old son Jay in October was inadvertently administered a megadose of medication during an unexpected visit to MercyOne Medical Center in Des Moines after the boy began experiencing complications following a recent tonsillectomy.

When Parsi initially took the boy to the hospital, she was unaware that the medical center was one of several CommonSpirit Health facilities dealing with a ransomware attack that had forced electronic health records, e-prescribing and related IT systems to be taken offline. CommonSpirit Health, the nation's fourth-largest provider, which manages 142 facilities across the country, sold MercyOne in September but still shares digital infrastructure with the hospital.

Jay Parsi, 3, with his parents before receiving a megadose of painkillers during a ransomware attack on MercyOne Medical Center (Source: Kelley Parsi)

Parsi says that with the hospital's systems offline, hospital staff completed Jay's medication orders manually. "Because the computer system was down … it was handwritten and they misread it," she says, resulting in Jay receiving five times more medication than what was prescribed - and twice the amount that should have been prescribed based on his age and size.

Upon discovering the error, the hospital kept the child under observation and flooded him with IV fluids before releasing him. Thankfully, he is fully recovered, Parsi says, but during her stay, hospital personnel had no access to her son's medical records - instead relying on sticky notes. On three occasions, they offered to administer ibuprofen, which was against her doctor's orders, and they struggled with converting his weight from pounds to kilograms, she says.

"They're working in the dark," Parsi says. "I can't even imagine how they were trying to navigate it."

Unfortunately, CommonSpirit facilities affected by the ransomware incident still hadn't fully recovered more than a month after the attack.

CommonSpirit in a Nov. 9 statement posted on its website says it is continuing to manage response to the cyberattack still affecting some of its facilities. "Our teams continue to work diligently to bring systems online and restore full functionality as quickly and safely as possible, including electronic health records," the statement says.

Providers in the majority of markets now have access to the EHR across the CommonSpirit Health system, including hospitals and clinics, the statement says. In addition, most patients can again review their medical histories through the patient portal. "We are working to restore appointment scheduling capabilities to the portal in cases where that feature exists."

Growing Costs of Healthcare Breaches

Besides the safety risks ransomware attacks can pose to patients, the incidents also hit healthcare entities where it can hurt most - their pocketbooks.

For instance, last year, San Diego-based Scripps Health incurred $112 million in costs in the first month after a May 2021 ransomware attack - including nearly $92 million in lost revenue related to redirecting emergency room visits and postponing elective surgeries. The hospital paid another $21 million in incident response and recovery costs.

On top of that, Scripps Health was hit with at least four class-action lawsuits within the first few weeks of the attack related to the compromise of personal information for nearly 150,000 patients. These lawsuits can result in millions of dollars in settlement costs and legal fees.

And ransomware incidents are not the only reason healthcare entities are taking a financial hit. Georgia-based home healthcare and hospice provider Aveanna Healthcare is paying a total of nearly $1 million to settle a regulatory enforcement action and separate class action lawsuit against the company in the wake of a 2019 phishing incident that affected nearly 170,000 patients.

That amount includes the $500,000 Aveanna this month paid to the commonwealth of Massachusetts to end state litigation tied to the data breach, along with agreeing to shell out $800,000 in cash payments and credit monitoring costs to class members of a federal lawsuit involving the same incident.

Class Action Lawsuits on the Rise

But the costs can run much higher for some healthcare entities that experience larger breaches.

In one high-profile case, a 2015 breach at UCLA Health that affected 4.5 million patients, the university paid a $7.5 million to settle a consolidated class action lawsuit in 2019. The university agreed to set up a $2 million fund to pay patients for damages related to the release of information and to pay for credit monitoring for two years. The UCLA settlement was one of the first to require the organization's IT department to invest in new security controls.

"We wanted to make sure that they were doing some things over and above what they were already doing, based on the internal reporting we saw about what was going on there," says attorney Jeff Westerman of Westerman Law, which represented plaintiffs in that case.

Not only healthcare provider and hospitals getting slapped for breaches. The Massachusetts consent order against Aveanna in the company's breach comes weeks after New York financial regulators struck vision health insurance giant EyeMed Vision Care with a $4.5 million fine to settle an investigation into a 2020 data breach incident affecting 2.1 million individuals nationwide, including nearly 99,000 New Yorkers (see: NY State Smacks EyeMed Vision with Another Breach Fine).

That fine was the second by the state against EyeMed. In January, the New York attorney general announced a $600,000 settlement with EyeMed for the same data security incident.

The largest HIPAA enforcement fine so far by HHS' Office for Civil Rights was $16 million in a settlement against health plan Anthem for a 2014 hacking incident affecting nearly 79 million individuals.

More enforcement actions by state and federal agencies in the wake of health data breaches such as the Aveanna and EyeMed incidents are highly likely to trend upward, says regulatory attorney Rachel Rose, who was not involved in either of those cases.

That's because regulators are paying increased attention to critical infrastructure, consumer rights and the more aggressive types of ransomware and other cyberattacks, she says. Those regulatory actions in turn can fuel more civil litigation in breach cases, she says.

"Plaintiff's counsel can always use the existence of a government investigation or settlement as leverage to substantiate the likelihood of a material cybersecurity event," she says. "From the defense standpoint, the timing of settlements, as well as utilizing any proactive compliance measures, is critical."

Focusing on Patient Safety

Dave Summitt, vice president of cybersecurity at Florida Cancer Specialist And Research Institute, says security teams need to consider the safety of patients - not just the security of servers and the potential costs and downtime related to an attack.

"It's what's going to happen to patient care if that server goes down,” Summit says. "That has to be first and foremost for any security team."

"It's a very, very scary thing."
– Kelley Parsi, mother, Des Moines

Parsi, who experienced the impact of ransomware firsthand with her son Jay, says the effect on patients is terrifying.

"I'm confused as to why people are targeting hospitals and potentially trying to accidentally or maybe even intentionally kill people because of these medication errors - or just any error," Parsi says. "It's a very, very scary thing."

Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.

Read more

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.