Healthcare Data Breaches in 2018: A Bad Year for Patient Privacy

Worst Healthcare Cyber Attacks in US

Healthcare has become the second largest sector of the U.S. economy, accounting for 18% of our country’s gross domestic product (rivaled only by the U.S. Federal Government at 20%). So, it should come as no surprise that healthcare organizations—including hospitals, labs, pharmacies, drug companies, and outpatient clinics—have attracted the attention of cyber criminals. And in 2018, attackers have been hitting the industry hard.

Download Free CIO Cheat Sheet: Budget Planning 


Healthcare Data Breaches by Month in 2018

It has not been a good year for patient privacy. So far, there have been 241 data breaches and over 6 million healthcare records exposed, stolen, or disclosed. July was by far the worst month, when over 2.2 million records were exposed. While improper disposal of records, unauthorized access, loss, and theft were factors in some incidents, the largest offender is hacking. According to the HIPAA Journal, hacking results in the exposure of more healthcare records than all other types of breaches combined.






























UnityPoint Health: The Biggest Healthcare Breach of 2018

In July, UnityPoint Health—a Madison, Wisconsin-based hospital—was forced to notify 1.4 million patients that their records were breached due to a phishing attack. Adding insult to injury, this is the second breach for UnityPoint this year; in April, another phishing attack on staff email accounts compromised the data of 16,000 patients. The attack was carried out by hackers who sent phony emails to employees, impersonating a top executive and requesting access to email accounts. Staff complied, giving the hackers easy access to the confidential records.

The hacked accounts included protected health information, including names, addresses, medical data, treatment information, lab results and/or insurance information. For some of the 1.4 million patients, their payment card, and Social Security number were also included in the breach.


3 Reasons Hackers Love the Healthcare Industry

While it’s not uncommon to hear about cyber-attacks like the recent Facebook breach or the City of Atlanta, healthcare breaches tend to fly under the radar until one affects our records. But it’s important to keep informed of breaches, and to understand what makes healthcare so attractive to hackers.


1. Valuable Data

No surprise here, except perhaps just how valuable this data can be. Whereas credit cards yield an average profit of $2,000 and quickly become worthless, a single medical file yields an average profit of $20,000. Why are files so much more lucrative? Because records can be used for billing fraud, medical identity theft, and for purchasing drugs for resale. Plus, the criminal activity takes much longer to be discovered as the only limit, per record, are the limits of the health insurance policy.


2. Lack of IT Investment and Training

The healthcare industry spends less than 3% of its revenue on technology budgets. That means there is little training for employees, a smaller chance of having data protection and disaster recovery in place, and less testing for phishing, one of the most common ways hackers can introduce malware into an organization.


3. Highly-Connected Systems

In healthcare, an attack in one area on the IT infrastructure can bring down the entire network. This makes hospitals a perfect target for ransomware, for example, because lives are at risk. Without access to patient records, such as drug histories and surgery directives, patient care can be delayed. Rather than allow patients to die or face lawsuits, hospitals find it prudent to pay the ransom and get back to business.


How Healthcare Organizations Can Fight Back

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, such as HIPAA, and they need to be given the best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all staff on current threats, red flags to look for in an email message, and what to do in case of an attack. And because threats are always evolving (and people tend to slip into their old habits after a while), it’s important to hold training regularly.

Healthcare organizations should also consider strong data protection and disaster recovery plans. With cloud computing and Disaster Recovery as a Service (DRaaS), data recovery time following a breach can be at, or near, zero. Plus, with a cloud provider's continuous backups, healthcare organizations can easily revert back to the last “clean” snapshot of patient data, rather than giving in to the demands of cyber criminals and paying ransoms. A reputable cloud provider is also HIPAA and HITECH compliant, with multiple safeguards in place to protect data. Want to learn more about data protection and disaster recovery? Contact the IT experts at DSM. DSM’s H-Cloud is designed for the healthcare sector to protect patients, and valuable data.

Florida Department of Agriculture Data Security Case Study


Related posts