Cybersecurity News

Healthcare Hacking Incidents Rose 42% in 2020, 31M Patients Impacted

The Protenus Breach Barometer shows the healthcare sector fought two silent enemies in 2020: COVID-19 and cyber threats; nearly 31 million patients were affected by hacking alone.

healthcare hacking incidents impact millions of patient records and other health information posing fraud risk

By Jessica Davis

- Hacking incidents on the healthcare sector rose 42 percent from 2019, impacting a combined total of nearly 31 million patient records in 470 security incidents in the last year, according to the latest Protenus Breach Barometer.

Health systems were pummeled by both the COVID-19 pandemic and cyber threats, with researchers finding a rise in healthcare hacking incidents for the fifth consecutive year.

For its annual analysis, Protenus, with support from DataBreaches.net, reviewed the 758 healthcare data breaches reported to the Department of Health and Human Services in 2020. For comparison, the reported number of breaches in 2019 totaled 572. 

The researchers then assessed 609 incidents, for which they had data, to determine the leading causes and the risks healthcare entities need to address. In total, these incidents compromised 40.7 million patient records.

Given incidents only need to be reported to HHS when 500 or more patients are affected, and the lack of data for more than 100 breaches, the researchers stressed the findings are likely more severe in actuality.

Hacking incidents on the sector were consistent throughout the year. Protenus observed hackers exploiting healthcare vulnerabilities, including those found in the tech leveraged for the COVID-19 response like telehealth and remote work.

These incidents are putting patients at risk of identity theft and exploitation, with the stolen data being sold on the dark web for as much as $1,000, depending on the type of information.

“Under obligation to do no harm, healthcare organizations must adopt advanced tools capable of preventing hacks and their frightening consequences for patients,” researchers explained.

“By making investments to protect patients, health systems in turn protect themselves from severe reputational damage, financial penalties, or care disruptions stemming from hacking incidents,” they added.

These risks were also highlighted in recent reports from Universal Health Services, which lost $67 million in lost revenue and recovery efforts after falling victim to a ransomware attack for more than three weeks in the Fall of 2020.

Two more recent reports found the risk to healthcare stems from credential theft and database leaks, among other threats, while the number of these attacks doubled in the last year.

In addition, insider incidents were the second-most common category of breaches, accounting for 20 percent of all security events in the sector last year. The number of insider incidents spiked after four years of decline and impacted more than twice as many patient records than in 2019.

Researchers had data for 111 of those incidents, which affected more than 8.5 million patient records -- up from just 3.8 million in 2019. In total, insider incidents accounted for 20 percent of all healthcare data breaches in 2020.

Protenus noted that many of the 2020 insider incidents stemmed more from error than those with malicious intent. It’s likely the pandemic itself heightened the number of these incidents, given “the temptation to snoop on someone's COVID-19 status or vaccination record."

“A zero-tolerance stance on snooping is important, but it will never be enough to prevent innocent mistakes or nefarious hackers,” researchers wrote. “Only by using compliance analytics to calculate the risk score of any anomalous access can organizations surface and prioritize interactions with data that truly warrant attention.”

“Noncompliance is critically important to identify and prevent, especially when organizations are struggling financially. Compliance incidents are costly because of all that goes into reconciling them. On top of paying penalties, health systems must do damage control,” they added.

To Protenus, healthcare leaders must ensure they’ve employed thorough risk assessments and employee training and education to keep ahead of the current threat landscapes. The security measures, tech, and policies must also be routinely tested to ensure effectiveness. Backups must also be kept offline and separate from the main network.

Lastly, previous guidance from NIST and the Healthcare and Public Health Sector Coordinating Council can support entities in bolstering employee education, understanding the threat landscape, and protecting the supply chain.