Dive Brief:
- There were fewer total healthcare data breaches reported in the first six months of 2023 than in the back half of 2022, however, the scale of individual breaches has gotten bigger, according to a recent report from cybersecurity firm Critical Insight.
- This year, 40 million people have been impacted by healthcare data breaches — the highest number the consultancy firm has observed since it began collecting data on breaches. The surge in breach size is partially attributable to hackers targeting healthcare providers’ business associates, the report found.
- Data breaches have vexed the industry, impacting 385 million patient records between 2010 and 2022. The report noted healthcare leaders must “remain vigilant” in the face of evolving threats and prioritize preparation, detection and effective incident response.
Dive Insight:
In the first half of 2023, healthcare providers reported a 15% reduction in data breaches compared to the latter half of 2022. Should the trend persist, this year is projected to have fewer total provider data breaches than any of the previous three years.
However, the threat landscape may simply be evolving as cyber criminals evolve tactics to “minimize risk and maximize the return on effort,” Mike Hamilton, founder and CISO at Critical Insight said in a statement.
Though providers experience three times as many breaches as their business associates, breaches that impact third-party business associates increasingly have an outsized impact.
Of the 40 million healthcare records exposed so far this year, nearly 50% were exposed due to attacks aimed at healthcare providers’ third party business associates.
These attacks tend to be larger in scale than attacks on providers or health plans, impacting an average of more than 304,000 records per breach, while provider and health plan breaches on average impact less than 86,000 records.
“Hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies that offer services to healthcare organizations,” John Delano, healthcare cybersecurity strategist at Critical Insight, said in a statement. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”
Over three quarters of attacks in 2023 have targeted network servers, the report found. Email was another main vulnerability, driving nearly 20% attacks. Electronic medical record systems, the report noted, drove a “negligible” number of associated incidents.
The average cost of a healthcare data breach is nearly $11 million dollars, up 53% since 2020. So far this year, organizations including HCA Healthcare have reported large scale incidents, with HCA’s breach this summer impacting 11 million records.
Breaches can lead to legal ramifications for healthcare organizations. In July, Johns Hopkins Health System was served a class action lawsuit alleging negligence following a data breach that may have compromised “tens/hundreds of thousands” of records.
