In 2024, approximately 168 million individuals were affected by breaches impacting 500 or more. The ten biggest were responsible for nearly 137 million records, showing lasting vulnerabilities in safeguarding protected health information (PHI).
According to the OCR data breach portal, hacking and IT incidents accounted for 90% of major breaches, with HIPAA business associates linked to five cases. The breaches exposed individuals’ names, Social Security numbers, financial information, medical records, etc.
BlackCat ransomware actors exploited a Citrix platform with weak security settings, like the absence of multifactor authentication to breach systems used for remote access and application hosting.
The attackers specifically compromised Change Healthcare systems, a subsidiary of UnitedHealth Group. A ransom of $22 million was reportedly paid.
In April, U.S. health giant Kaiser Permanente disclosed that data transmissions involving Google and Microsoft, exposed sensitive information to third-party advertisers. Investigations suggest improperly configured tracking tools allowed unauthorized access to patient interactions, including PHI shared via patient portals.
In July, HealthEquity informed Louisville Metro of a major data breach. Specifically, attackers used a business partner's device to access and steal Social Security numbers, health insurance information, and other records.
This Texas-based provider was breached by Perry Johnson & Associates, a third-party vendor providing transcription services. It exposed weak points in the management of vendor risk. Compromised data includes medical diagnoses, treatment notes, and personal information.
The MOVEit Transfer tool developed by Progress Software is a commonly used file-sharing application with a vulnerability attackers leveraged. The breach included data of Medicare beneficiaries, including claims and enrollment records.
During this breach, hackers extracted billing information and healthcare provider details from Nomi Health's servers after gaining unauthorized access. The breach called into question the internal monitoring and response protocol.
Hackers infiltrated an employee’s email account, granting access to sensitive patient data, like medical records, billing information, and demographic details. The provider’s lack of phishing-resistant email protocols and inadequate staff training on identifying phishing attempts were pointed out.
Cybercriminals crafted a phishing attack aimed at employees with access to Molina’s billing systems. Once inside, they exposed weak access controls and inadequate safeguards to extract patient data.
Hackers exploited unpatched network vulnerabilities and insufficient endpoint protection measures, accessing sensitive patient records, including medical and billing information.
A misconfigured database had exposed patient appointment details, demographic information, and internal communications. While there was no indication of malicious hacking, the breach illustrated the potential risks of configuration errors.
Vulnerabilities in third-party systems, a lack of implemented multifactor authentication, and poor employee training are part of the biggest failures in healthcare cybersecurity. Besides disrupting patient care, data breaches incur substantial financial penalties and reputational damage for healthcare organizations.
Healthcare organizations must improve their cybersecurity using multifactor authentication, continuous monitoring, and better third-party vendor management. As cyber threats continue to change, organizations must be proactive in assessing and mitigating risks associated with protecting patient data.
Related: Why people still fall for phishing attacks in 2024
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Providers must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.
Go deeper: How to set up HIPAA compliant emails on Google