Why the health care industry is one of the biggest cybercrime targets

Why the health care industry is one of the biggest cybercrime targets

A wealth of information, including Social Security numbers, birth dates, and health insurance details; a reliance on systems connected to the internet; and weak protections. It's easy to see why health care institutions are such enticing targets for hackers, and they are rising to the challenge.

With that in mind, Free NPI Lookup examined data from the Department of Health and Human Services and other sources to explore the scale of health care data breaches over the last decade.

In 2023, there were 725 large data breaches at hospitals and other organizations, breaking the record 720 breaches the year before, according to a January 2024 report from The HIPAA Journal. In addition, over 133 million records were compromised, more than double the number from the previous year. The problem has become so dire that more than 370,000 records were breached daily in 2023.

What makes health care so attractive to hackers? The stakes.

Should a hospital or other institution be the subject of a ransomware attack, where hackers disrupt operations until they receive a payoff or ransom—patients might suffer or even die. Think of delayed procedures, diverted ambulances, and electronic monitoring equipment going offline. The human cost makes agreeing to hacker demands tempting, even if the FBI advises against it, such as in the case of Change Healthcare, which allegedly paid $22 million in ransom, according to Wired.

Not only is the information valuable, but detection can take a while. As the HIPAA Journal noted, health care data can be used fraudulently for a long time before it is detected. Credit companies constantly monitor unusual spending patterns and can quickly close an account, but health care data cannot be changed so easily. It may also be bundled with other information and sold to identity thieves.

Free NPI Lookup

Hackers increasingly targeting health data

The HHS calls hacking and ransomware "the primary cyber-threats" to the health care sector. They are becoming more frequent and more sophisticated as the industry relies heavily on digital technology, whether electronic records, telehealth, internet-connected devices, or connections to insurance companies and vendors. Older equipment might be incompatible with security measures but too expensive to replace.

In 2023, ransomware attacks against the health care sector worldwide nearly doubled over the year before, according to the Office of the Director of National Intelligence. There were 389 victims in 2023 compared with 214 in 2022. Over the past five years, large breaches involving hacking increased 256% while ransomware shot up 264%, according to the HHS. Attacks can affect millions in one fell swoop.

Among the recent large breaches involved the Kaiser Foundation Health Plan and its 13.4 million members. What Kaiser Permanente described to TechCrunch as "online technologies" installed on its website and applications manifested into members' searches being forwarded to the likes of Google, X (formerly Twitter), and Microsoft. No Social Security numbers, financial information, or credit card numbers were shared, the company told the Los Angeles Times, but IP addresses—which identify a particular computer—might have been.

Concentra Health Services, in contrast, affected about 4 million individuals, a third as many people as Kaiser Permanente's breach. The company used a medical transcription company called Perry Johnson & Associates, which was hacked in 2023 and already compromised about 9 million at the time. Patient data divulged included names and addresses, birth dates, Social Security numbers, and other information.

A&A Services, which does business as Sav-Rx, appears to have paid a ransom when it was hit with ransomware, according to The HIPAA Journal. The journal based that assessment on the company's statement that data taken from its system was destroyed. A&A Services, a pharmacy benefits management company based in Fremont, Nebraska, said it was able to get its systems running the next day with no delay in prescriptions.

Sometimes, not only health care companies but even the affected patients themselves are contacted, as was the case for INTEGRIS Health's Oklahoma patients. Hackers emailed individuals directly and demanded $50 from each; otherwise, they threatened to sell the data on the dark web. To prove they actually had the data, the hackers included addresses, phone numbers, birth dates, and Social Security numbers in their emails.

ARMMY PICCA // Shutterstock

What's being done to boost security?

The challenges facing the health care industry are significant. Health care breaches remain the most expensive across all industries, according to IBM's 2024 Cost of a Data Breach report. The average cost of a health care data breach did fall over the last year, from $10.93 million in 2023 to $9.77 million in 2024, but that's still twice as expensive as the average for all industries.

Critics in the industry say hospitals and other health care institutions are often far behind other sectors in boosting their cybersecurity, even with such simple steps as installing patches for known vulnerabilities. Moreover, financially strapped organizations may struggle to pay for cybersecurity professionals.

What is being done to help the industry tackle the problem? The HHS is trying new requirements balanced by voluntary measures and seeking funds to incentivize hospitals to meet cybersecurity goals. It has proposed rewriting the HIPPA rule—or the Health Insurance Portability and Accountability Act, which requires protecting patient information—to address cybersecurity. It could also tie Medicaid and Medicare funding to heightened cybersecurity, according to the Associated Press.

The Biden administration launched the Universal Patching and Remediation for Autonomous Defense, or UPGRADE, program, to create IT tools that can better fend off cyberattacks in hospitals. It also announced efforts from the private sector.

Microsoft has agreed to provide grants giving smaller organizations up to a 75% discount on security products and free cybersecurity training and assessments for eligible rural hospitals. Google will also provide advice for rural hospitals and nonprofits, as well as discounts for its suite of tools. In the meantime, New York proposed cybersecurity changes for its hospitals and allocating funds to help pay for the improvements.

No matter what, the efforts will need funds. Former health official Iliana Peters told The New York Times, "Without additional resources to raise the bar, those health care providers and those health care payers are going to continue to make choices to pay for treatment or for cybersecurity."

Story editing by Carren Jao. Additional editing by Kelly Glass. Copy editing by Paris Close. Photo selection by Clarese Moller.

This story was produced by The Data Project and was produced and distributed in partnership with Stacker.