Data breaches are down, but number of people affected is rising

The number of health care data breaches is on pace to be the lowest since 2019, a new cybersecurity report suggests.

But the good news only goes so far. The bad news is that the number of people affected by health data breaches is poised to surge past previous years, according to a new report by Critical Insight, a cybersecurity firm.

In the first half of 2023, 40 million Americans were affected by health data breaches, according to the firm’s analysis of federal data. By comparison, a record 58 million people were impacted by breaches in all of 2021.

“Certainly, the more concerning piece of that is, the number of records impacted is increasing,” says John Delano, M.S., health care cybersecurity strategist at Critical Insight and vice president at CHRISTUS Health.

In the first six months of the year there were 308 health care data breaches, compared to 349 in the first half of 2022 and 367 in the first half of 2021, Critical Insight reports. The firm analyzed data from the U.S. Department of Health and Human Services.

Mike Hamilton, MS, CISSP, chief information security officer of Critical Insight, explains that the bigger number of victims, even with fewer attacks, is an indicator that attackers are being shrewder.

“What seems to be going on is better targeting by criminals,” Hamilton says. “I mean, these are basically illegal corporations, and they need to minimize risk, maximize their return on their effort.”

To be sure, plenty of hospitals have seen attackers infiltrate their systems so far this year. More ransomware attacks have been reported at hospitals in recent months, industry analysts say.

Some hospitals owned by Prospect Medical Holdings were hit by a cybersecurity attack, requiring some services and procedures to be delayed. HCA Health care disclosed a data breach in July that affected as many as 11 million patients. The large, for-profit system said the breach appeared to be the result of a theft from an external storage location used to automate the formatting of email messages.

However, cybercriminals are showing increasing interest in targeting electronic medical records (EMRs) And they are finding they don’t have to go to health systems to get access to patient records.

In fact, cybercriminals are getting records—and affecting hospitals and health systems—by targeting insurers or other key vendors, experts say.

“They're going after EMRs, rather than individual hospitals,” Hamilton says. “They're going to a hospital chain, or a service provider that serves up records, so that they can minimize that effort. And they're starting to be very successful doing this.”

A cyberattack on MCNA, a dental insurer, affected more than 8.8 million Americans, according to the health department. A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March, and the breach has affected more than 5.8 million Americans.

When software vulnerabilities are announced, Hamilton says, “criminals, nation-states, everybody goes to work, reverse engineering the patch, so that they can develop the exploit, scanning the internet to find the exposures and then taking them over.

“And that's starting to happen very quickly, every time a vulnerability is announced,” Hamilton add. “So this change in tactics really, I think, is a message to covered entities, mainly about vulnerability management and getting a lot better at it.”

About two-thirds (65%) of the breaches in the first half of the year involved health care providers, while one in five (21%) affected business associates, and 14% affected health plans, according to the Critical Insight report.

And attacks on business associates are proving fruitful. About 19.5 million records were accessed from business associates in the first half of the year, accounting for about half of the records breached.

While health organizations are investing more on cybersecurity and doing more training, Delano says health systems need to continuously work at cybersecurity in the face of emerging threats.

“I've always viewed it as a cat-and-mouse game,” Delano says. “You're always having to learn how to build a better mousetrap. So as defenses increase, the criminals get smarter … Health care organizations have to be right all the time. It only takes being wrong once to be affected by a breach.”

Hospitals are also challenged by their legacy applications, Delano says. As hospitals work around the clock, it’s not easy to address vulnerabilities, he says.

“It's very difficult to take these systems down to patch them,” Delano says. “When you've got hundreds or thousands of applications that are constantly needing to be updated … it can be very disruptive. So I think organizations have to get better at getting those patches in, in a more timely manner.”

Cybercriminals are finding more undiscovered vulnerabilities, referred to as “zero day” events, and exploiting them, Hamilton says.

“That means one of two things,” he says. “They are really investing in researchers to develop ‘zero day’ exploits, or there is some collusion with nation-states who have a stockpile of those things. And I'm not sure which one of those I believe, but that's a bad situation.”