The motive behind a data breach is often reflected in the financial, ideological, and strategic interests of threat actors. It is especially financial gain that drives threat actors to target healthcare organizations so frequently. Protected health information (PHI) has a wide range of uses after being acquired. Whether for sale on the black market or ransomed against the provider and patient, there are multiple opportunities to leverage data breaches.
Some also target healthcare organizations for political reasons Hacktivist groups like BlackCat may aim to expose perceived ethical violations like inequities in access to healthcare or controversial practices. Nation-state actors also exploit vulnerabilities in healthcare systems to gather intelligence or disrupt services during times of geopolitical tension.
How healthcare organizations are targeted by threat actors
- Phishing attacks: Threat actors implement this method of attack by sending deceptive emails that trick employees into clicking malicious links or attachments. The point of access is usually email accounts which are especially vulnerable when organizations fail to use HIPAA compliant email software.
- Ransomware attacks: Threat actors like BlackCat and RansomHub have targeted healthcare organizations through attacks leveraged to render systems inaccessible until a ransom is paid.
- Exploitation of unpatched systems: The outdated and unpatched software of healthcare practices is often used to gain access to patient data.
- Insider threats: Malicious insiders or negligent employees can inadvertently provide access to patient data. Insiders may deliberately sell data or cause unintentional breaches through poor security postures.
- Social engineering: Attackers manipulate employees into providing access to systems or data by impersonating legitimate parties like IT staff or vendors.
Data breaches in the news
The Change Healthcare (United Healthcare) attack
The Change Healthcare is a big player in the healthcare infrastructure managing services like payment processing, prescription management, and data analytics making it an attractive target for BlackCat (ALPHV). The organization's data repositories and reliance on digitized processes create a recipe for potential exploitation.
The breach of their system caused large-scale disruptions in the US healthcare sector that affected millions of patients, providers, and pharmacies. The attack also exposed vulnerabilities within the Change’s system that resulted in extensive media scrutiny and legislative repercussions.
Familylinks email breach
Familylinks was targeted by threat actors who exploited vulnerabilities in employee email accounts. The breach is a more recent example of threat actors targeting healthcare organizations through a popular method of attack, email accounts. Although the scale of the attack affected far fewer individuals than Change, it reveals that no provider is safe no matter the size or scope of their role.
Great Expressions Dental Centers and the multi-million dollar settlement
GEDC, a large dental practice was targeted by a data breach impacting over 250 locations and nearly 2 million patients and employees as a result of unencrypted data on its network. Following the breach, a class action was brought against the organization resulting in a $2.7 million settlement. The settlement was accompanied by GEDC committing to strengthening its cybersecurity practices despite denying wrongdoing and maintaining that the breach was not due to negligence.
Reality in statistics
Statistics for 2024 reflect the increased number of cyberattacks targeted against health organizations. Statista reported the following statistics:
- Between January and September 2024, there were 491 large-scale breaches, this is a number closely reflecting the 745 cases seen in 2023.
- The sector also reflected the highest cost of data breaches for four consecutive years.
- The cost per data breach in the US was over $9 million.
- The US reflected nearly double the global average costs per breach.
FAQs
What is a threat actor?
A threat actor is an individual or group that intentionally targets systems, networks, or data for malicious reasons.
What are the consequences of a data breach?
The consequences of a data breach for healthcare organizations include:
- Financial loss
- Operational disruption
- Regulatory penalties
What is the role of the HHS OCR in data breach handling?
The Office for Civil Rights (OCR) in the HHS oversees the enforcement of HIPAA’s regulations. Its role includes:
- Monitoring and investigation
- Enforcement
- Guidance and education
- Public reporting
Kirsten Peremore
