Healthcare Data Breaches Doubled in 3 Years

Targeting of Providers, Plans and Partners

Since 2009, healthcare breaches have affected the personal information of 370 million people. Quick math says that’s more than the entire U.S. population, and that’s only counting the major breaches affecting 500 people or more.

The situation is growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And the nation is on track for more than 700 major health data security incidents this year.

As of November 10, the Department of Health and Human Services’ “wall of shame” shows 595 breaches posted so far in 2022, affecting more than 40 million individuals.

Hacking incidents top the list as the most common type of health data breach to be reported to regulators in recent years, and phishing scams, ransomware attacks and data extortion attempts affect tens of millions of individuals every year.

“Every industry and every subindustry in healthcare is seeing an increase in attacks,” says Taylor Lehman, director of the Office of the CISO for Google Cloud. “We’re seeing increased attacks on medical devices. We’re seeing increasing attacks on life sciences organizations. We’re seeing it for a variety of reasons. This isn’t going away.”

Growing Costs of Healthcare Breaches
Besides the implicit safety risks ransomware attacks can pose to patients, the incidents also have severe financial impacts on affected organizations.

For instance, last year, San Diego-based Scripps Health incurred $112 million in costs in the first month after a May 2021 ransomware attack – including nearly $92 million in lost revenue related to redirecting emergency room visits and postponing elective surgeries. The hospital paid another $21 million in incident response and recovery costs.

On top of that, Scripps Health was hit with at least four class-action lawsuits within the first few weeks of the attack related to the compromise of personal information for nearly 150,000 patients. These lawsuits can result in millions of dollars in settlement costs and legal fees.

Add in fines and settlements to enforce regulatory action, and a healthcare provider can be hit with significant costs multiple times for a single breach. Those fines and settlements have been increasing over the last few years as well.

That’s because regulators are paying increased attention to critical infrastructure, consumer rights and the more aggressive types of ransomware and other cyberattacks. Those regulatory actions, in turn, can fuel more civil litigation in breach cases.

Plaintiff’s counsel can always use the existence of a government investigation or settlement as leverage to substantiate the likelihood of a material cybersecurity event.

If you have questions about the escalating risks posed by cyber attacks in the healthcare industry, call ITPAC today.