Healthcare Data Breaches Doubled in 3 Years: Here's WhyTargeting of Providers, Plans and Partners Endangers Patients, 'Isn't Going Away'
Federal statistics show that the number of individuals affected by the more than 5,000 major health data breaches since 2009 exceeds the total U.S. population, indicating that some people likely have been the unfortunate victims of more than one incident.
And the situation seems to be growing worse. In fact, in just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And the nation is on track for more than 700 major health data security incidents this year.
As of Nov. 10, the Department of Health and Human Services' "wall of shame" website that tracks health data breaches affecting 500 or more individuals shows 595 breaches posted so far in 2022, affecting more than 40 million individuals.
"Every industry and every subindustry in healthcare is seeing an increase in attacks. This isn't going away."
– Taylor Lehman, Google Cloud
Hacking incidents top the list as the most common type of health data breach to be reported to regulators in recent years, and phishing scams, ransomware attacks and data extortion attempts affect tens of millions of individuals every year.
"Every industry and every subindustry in healthcare is seeing an increase in attacks," says Taylor Lehman, director of the Office of the CISO for Google Cloud. "We're seeing increased attacks on medical devices. We're seeing increasing attacks on life sciences organizations. We're seeing it for a variety of reasons. This isn't going away."
Potentially Deadly Impact on Patient Care
Many of these incidents don't just compromise the privacy and security of individuals' protected health information. Some result in significant IT system disruptions that interfere with patient care, potentially posing serious safety concerns.
Just ask Kelley Parsi, an Iowa mother whose 3-year-old son Jay in October was inadvertently administered a megadose of medication during an unexpected visit to MercyOne Medical Center in Des Moines after the boy began experiencing complications following a recent tonsillectomy.
When Parsi initially took the boy to the hospital, she was unaware that the medical center was one of several CommonSpirit Health facilities dealing with a ransomware attack that had forced electronic health records, e-prescribing and related IT systems to be taken offline. CommonSpirit Health, the nation's fourth-largest provider, which manages 142 facilities across the country, sold MercyOne in September but still shares digital infrastructure with the hospital.
Parsi says that with the hospital's systems offline, hospital staff completed Jay's medication orders manually. "Because the computer system was down … it was handwritten and they misread it," she says, resulting in Jay receiving five times more medication than what was prescribed - and twice the amount that should have been prescribed based on his age and size.
Upon discovering the error, the hospital kept the child under observation and flooded him with IV fluids before releasing him. Thankfully, he is fully recovered, Parsi says, but during her stay, hospital personnel had no access to her son's medical records - instead relying on sticky notes. On three occasions, they offered to administer ibuprofen, which was against her doctor's orders, and they struggled with converting his weight from pounds to kilograms, she says.
"They're working in the dark," Parsi says. "I can't even imagine how they were trying to navigate it."
Unfortunately, CommonSpirit facilities affected by the ransomware incident still hadn't fully recovered more than a month after the attack.
CommonSpirit in a Nov. 9 statement posted on its website says it is continuing to manage response to the cyberattack still affecting some of its facilities. "Our teams continue to work diligently to bring systems online and restore full functionality as quickly and safely as possible, including electronic health records," the statement says.
Providers in the majority of markets now have access to the EHR across the CommonSpirit Health system, including hospitals and clinics, the statement says. In addition, most patients can again review their medical histories through the patient portal. "We are working to restore appointment scheduling capabilities to the portal in cases where that feature exists."
Growing Costs of Healthcare Breaches
Besides the safety risks ransomware attacks can pose to patients, the incidents also hit healthcare entities where it can hurt most - their pocketbooks.
For instance, last year, San Diego-based Scripps Health incurred $112 million in costs in the first month after a May 2021 ransomware attack - including nearly $92 million in lost revenue related to redirecting emergency room visits and postponing elective surgeries. The hospital paid another $21 million in incident response and recovery costs.
On top of that, Scripps Health was hit with at least four class-action lawsuits within the first few weeks of the attack related to the compromise of personal information for nearly 150,000 patients. These lawsuits can result in millions of dollars in settlement costs and legal fees.
And ransomware incidents are not the only reason healthcare entities are taking a financial hit. Georgia-based home healthcare and hospice provider Aveanna Healthcare is paying a total of nearly $1 million to settle a regulatory enforcement action and separate class action lawsuit against the company in the wake of a 2019 phishing incident that affected nearly 170,000 patients.
That amount includes the $500,000 Aveanna this month paid to the commonwealth of Massachusetts to end state litigation tied to the data breach, along with agreeing to shell out $800,000 in cash payments and credit monitoring costs to class members of a federal lawsuit involving the same incident.
Class Action Lawsuits on the Rise
But the costs can run much higher for some healthcare entities that experience larger breaches.
In one high-profile case, a 2015 breach at UCLA Health that affected 4.5 million patients, the university paid a $7.5 million to settle a consolidated class action lawsuit in 2019. The university agreed to set up a $2 million fund to pay patients for damages related to the release of information and to pay for credit monitoring for two years. The UCLA settlement was one of the first to require the organization's IT department to invest in new security controls.
"We wanted to make sure that they were doing some things over and above what they were already doing, based on the internal reporting we saw about what was going on there," says attorney Jeff Westerman of Westerman Law, which represented plaintiffs in that case.
Not only healthcare provider and hospitals getting slapped for breaches. The Massachusetts consent order against Aveanna in the company's breach comes weeks after New York financial regulators struck vision health insurance giant EyeMed Vision Care with a $4.5 million fine to settle an investigation into a 2020 data breach incident affecting 2.1 million individuals nationwide, including nearly 99,000 New Yorkers (see: NY State Smacks EyeMed Vision with Another Breach Fine).
That fine was the second by the state against EyeMed. In January, the New York attorney general announced a $600,000 settlement with EyeMed for the same data security incident.
The largest HIPAA enforcement fine so far by HHS' Office for Civil Rights was $16 million in a settlement against health plan Anthem for a 2014 hacking incident affecting nearly 79 million individuals.
More enforcement actions by state and federal agencies in the wake of health data breaches such as the Aveanna and EyeMed incidents are highly likely to trend upward, says regulatory attorney Rachel Rose, who was not involved in either of those cases.
That's because regulators are paying increased attention to critical infrastructure, consumer rights and the more aggressive types of ransomware and other cyberattacks, she says. Those regulatory actions in turn can fuel more civil litigation in breach cases, she says.
"Plaintiff's counsel can always use the existence of a government investigation or settlement as leverage to substantiate the likelihood of a material cybersecurity event," she says. "From the defense standpoint, the timing of settlements, as well as utilizing any proactive compliance measures, is critical."
Focusing on Patient Safety
Dave Summitt, vice president of cybersecurity at Florida Cancer Specialist And Research Institute, says security teams need to consider the safety of patients - not just the security of servers and the potential costs and downtime related to an attack.
"It's what's going to happen to patient care if that server goes down,” Summit says. "That has to be first and foremost for any security team."
"It's a very, very scary thing."
– Kelley Parsi, mother, Des Moines
Parsi, who experienced the impact of ransomware firsthand with her son Jay, says the effect on patients is terrifying.
"I'm confused as to why people are targeting hospitals and potentially trying to accidentally or maybe even intentionally kill people because of these medication errors - or just any error," Parsi says. "It's a very, very scary thing."
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.
Marianne McGee: Hi, I'm Marianne Kolbasuk McGee with Information Security Media Group. Since 2009, hacking incidents and other health data breaches have compromised the protected health information of 370 million individuals. That's more than the total U.S. population. Many security experts say that 2022 is yet another banner year for cybercriminals.
Taylor Lehman:The intersection of human safety in the provider role makes healthcare providers essentially have a bigger target.
McGee: In fact, the volume and frequency of breaches have nearly doubled over the last three years, from 368 in 2018 to 715 in 2021. And we're on track for at least another 700 incidents this year.
Dave Summitt: Right now is being driven more about world events and in the economic times that we're in. You know, obviously, it's lucrative for threat actors to be making money off of the lowest-hanging fruit. And there, for a while, healthcare was kind of getting out of that lowest-hanging fruit arena, but I'm afraid we're kind of sliding back into it.
McGee: Hacking, ransomware and extortion attacks continue to disrupt healthcare operations. In October, a ransomware attack against the fourth-largest hospital system in the U.S., CommonSpirit Health, knocked out patient portals and other IT systems for some of its 142 hospitals. In the midst of that attack, three year old Jay Parsi of Des Moines, Iowa, visited the emergency room of CommonSpirit's MercyOne Medical Center for complications from a recent tonsillectomy. According to his mother, hospital workers told her that in the confusion with systems being down, they accidentally prescribed little Jay "mega dose" of painkillers, five times the recommended dosage of codeine.
Kelley Parsi: My heart stopped when they first came in to talk to me, and then I'm just sitting there staring at him, like looking for a reaction, waiting for him to act differently. And I didn't dare leave. I could, I didn't want to leave. I didn't want them to give him anything. I just wanted to make sure that he was still responding. It was caused because it was written incorrectly or deciphered incorrectly from what was written. Somebody had wrote it to the internal pharmacy and the pharmacy had somehow - either the pharmacy messed up, is what I'm thinking. But it was caused because the computer system was down.
McGee: Doctors flushed Jay with IV fluids and kept him under observation, releasing him that night. Parsi says her son fully recovered, but her ER experience provides a glimpse into the havoc that ransomware wreaks on the delivery of care.
Parsi: Upstairs, we had met with a different pediatrician and he sat down with us. And he just pulled out a couple pieces of paper and was writing down all of the same information that we had given because they didn't have any records. They didn't have records of Jay's pediatrician. They didn't have records of his surgeon. They didn't have anything. The other thing that they kept trying to do was give him Ibuprofen, which our surgeon had told us, he couldn't have Ibuprofen because he had had a tonsil surgery and that thins your blood and would make the bleeding more severe. And so I kept explaining to them "no ibuprofen, no ibuprofen," but they kept trying to give it to him. They asked me like three times. The other thing they did was asked me his weight, they kept asking me his weight, which they had weighed him. And then they were trying to convert it from kilograms to pounds or pounds to kilograms. They were having a real hard time with that conversion, which I didn't quite understand, why they were having a hard time with that. Like I told my husband, "we have to get out of here. They're going to kill him."
McGee: Some of the hospital's IT systems were affected for more than a month. MercyOne declined interview requests from ISMG but released a video that appear to minimize the impact on services.
Dr. Jessica Zuzga-Reed: I would say that it's not impacted patient care. I think it's just in the way we go about it. Everybody's being taken care of exactly the same way in which their medical care is concerned. But I think the way in which we work as a team in conveying whether it's medications or lab tests or other things, it's just the way in which we've communicated amongst ourselves that has changed.
McGee: CommonSpirit has plenty of company with its ransomware incident. More than 5000 breaches have been reported since the Department of Health and Human Services Office for Civil Rights began tracking major HIPAA incidents in 2009. Each breach, on average, affects the personal information of about 77,000 people. But big breaches happen every day. So far, in 2022, four breaches account for the exposure of nearly 9 million patient records. That includes the largest breach so far this year reported by a printing and mailing services vendor OneTouchPoint. Others include breaches reported by Baptist Medical Center in Texas, North Broward Hospital District in Florida and a third-party medical debt collector Professional Finance Company. That breach affected 1.9 million patients and had a ripple effect on 657 healthcare providers across the country. More than two-thirds of breaches occur at medical providers, such as hospitals and physician practices. But the fastest growing source of breaches come through business associates, such as debt collectors, medical records vendors and even law firms.
Mike Hamilton: The criminal elements seem to be going down market to smaller organizations, which makes sense because they don't have the kind of resources that can help them meet regulatory requirements and have the appropriate controls in place. But they're also really starting to focus on third parties, so not necessarily covered entities in the health sector writ large like hospitals, but other organizations that maybe handle payments and collections for the health sector. And because they have records from 30 plus hospitals, and so it's a one-stop shop.
McGee: Ransomware and hacking incidents can cause victims huge sums of money through fines, loss of revenue, recovery costs and litigation. The federal agency charged with enforcing HIPAA compliance, the Department of Health and Human Services Office for Civil Rights, has levied more than $66 million in fines since 2017, for an average of 2.7 million per violation.
Nicholas Heesters: Quite a bit can be laid at the feet of poor security controls, cyber hygiene and particularly, things like having accurate and thorough risk analysis, which really goes to the heart of - I think everything that OCR has said - it continues to say - talks about the risk analysis, risk management process being foundational, not only for compliance but also to protecting ePHI. And it really goes toward, you know, understanding where your epHI is.
McGee: The fines only make up only part of the cost of a health data breach. Last year for example, San Diego-based Scripps Health incurred a $112 billion cost in the first month after a ransomware attack, including nearly $92 million in lost revenue. The hospital paid another $21 million in incident and response and recovery costs. On top of that, Scripps Health was hit with at least four class action lawsuits within the first few weeks after the attack, related to the breach of personal information for nearly 150,000 patients. These lawsuits can result in millions of dollars in settlement costs and legal fees.
Jeff Westerman: You have Social Security, driver's license, medical data and the like. And those are the most serious. And, in fact, California has a statute that allows for $1,000 minimum payment to a victim if their medical information is implicated. So the state of California takes it seriously.
McGee: In one high profile case, a 2015 breach at UCLA Health that impacted 4.5 million patients, the university had to pay up to $7.5 million in a class action settlement in 2019. The university agreed to set up a $2 million fund to pay patients for damages related to the release of information plus pay for credit monitoring for two years. Nearly half of the settlement, 3.4 million, went to pay attorneys' fees for several class action law firms. The UCLA settlement was one of the first to require that an organization's IT department invest in new security controls.
Westerman: We wanted to make sure that they were doing some things over and above what they were already doing. Based on the internal reporting, we saw about what was going on there. I think the other thing is, the second factor is, that I think the entities resist being told what to do. I think their IT departments think they want to operate without oversight. And that's just the natural state of human affairs.
McGee: Because of the high cost of cybercrime, many healthcare entities are turning to cyber insurance. However, insurance only goes so far. For example, in the Scripps Health breach, cyber insurance paid only $21 million of the $112 million in losses. Many policies only pay for the actual costs of response and recovery, leaving organizations to foot the bill for loss, revenue, fines and litigation. Looking ahead, experts say large breaches of patient information will become more rare. But the number of attacks against smaller organizations will climb.
Hamilton: So I think those numbers are all going to tick up. I think there's going to be a continued emphasis on third parties just because, you know, for the efficiency of the criminal corporation, it just makes too much sense. So it's all about third parties. It's all about smaller clinics, it's all about rural jurisdictions.
McGee: And as traditional threat vectors are closed, attackers are likely to find new ways to scam healthcare entities.
Summitt: Okay, so it's more in the area of AI and deep fakes. I think it's that, as technology increases even more, we're going to see a much more of that increase. The ability to take someone's voice and make a phone call and get something done is a scary thing that can happen. Everything that is in security should always be around that potential. What can happen to the patient, when you're doing the security of healthcare? You have to think that way. You know, we're not sitting here protecting the server, because now it's going to cause a lot of people a lot of problems to go and repair it or it's going to cost the organization downtime and funding to fix what's going to happen to the patient care if that server goes down. And that has to be first and foremost in any security teams mind.
McGee: And the impact on patients like Jay Parsi and his mother can be terrifying.
Parsi: I'm confused on why people are targeting hospitals, and, you know, potentially trying to, accidentally or maybe even intentionally, kill people, because of these medication errors or just any error. It's a very scary thing. And I know for them, they were probably scared and trying to figure out how to navigate and trying to communicate, but maybe just working together. I'm sure it was really hard. It was really busy in there in the dark.
McGee: One thing's for sure. Healthcare will continue to face attacks. But how the industry responds can be the difference between millions of dollars in losses and the safety and health of millions of patients. For ISMG, I'm Marianne Kolbasuk McGee. Thank you for watching.