Health data breaches are soaring, investigation finds

Breaches of personal health data, especially by hacking, have risen sharply in recent years and affected more than 46 million Americans in 2021, according to a newly-released investigation of health data breaches conducted and reported by the website POLITICO.

POLITICO analyzed more than six years of breach data reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). It found that data breaches occurred in 2021 in every state except South Dakota, with hacks accounting for 74% of those.

By contrast, hacks made up 35% of breaches in 2016. It quotes Mac McMillian, CEO of the cybersecurity firm CynergisTek calling the health care industry “easy pickings” for hackers.

“It’s [not] gonna slow down until we either get more serious about stopping it, or blocking it, or being more effective at it. From the cybercriminals’ perspective, they’re being successful, they’re getting paid, why would they stop?” McMillian is further quoted as saying.

Organizations covered by HIPAA, which include most hospitals, insurance providers and health care systems, are required to report breaches of personal health data affecting more than 500 people to OCR. In addition to hacking breaches can include data theft, such as a stolen electronic device containing health data, and unauthorized access, such as accidentally sending data to the wrong recipient.

POLITICO’s analysis found that in more than half the states and the District of Columbia at least 10% of residents were affected by unauthorized access to their health information. The states with the highest percentage of affected residents include Alaska (68.5%), New Mexico (53.5%), Nevada (47.5%), and Wisconsin (43.3%).

The article notes that health care information is especially valuable to hackers because it can be sold on the dark web or used for identity theft or to file false Medicare claims. Fraudulent use of health data also is costly, it says, citing an IBM report showing that each data breach cost the affected organization an average of $9.23 million in 2021, the most of any industry.

Experts quoted in the article attribute the rise in hacking to health care’s increasingdigitization, more use of personal devices to send and receive information as organizations shifted to remote work during the COVID-19 pandemic, and greater awareness of attacks, leading to more reporting of them.

In addition, they say, health care is more vulnerable to ransomware attacks than most industries. Hackers know that a disruption in care could threaten patients’ lives, so health care organizations are more likely to pay ransoms to retrieve or unlock their data.