Today, regardless of the industry one is in, cyber-attacks are relevant to their personal lives. This can be seen regardless of industry or state.
According to data from the U.S. Department of Health and Human Services Office for Civil Rights Breach, they have about 875 open incidents as of September 23, 2022, that are currently under investigation, with about 73 million people affected.
According to the Identity Theft Center’s report on the first quarter of 2022, the healthcare industry underwent significantly more breaches than any other industry in 2022. After the passing of the HITECH act in 2009, healthcare organizations started to rely on the electronic health record which connected patients’ medical information with networked medical devices, making it easier for external actors to hack into such systems. Furthermore, private health information from patients is more valuable than even credit card information which could be valued at up to $250 per record on the black market. It becomes important that healthcare providers and their business associates secure against data breaches.
Five recent healthcare security incidents will be highlighted here..
One of the largest data breaches of 2022 was that of the Shields healthcare group, reported on July 22, 2022. This data breach affected about 2 million people and happened after an unauthorized party accessed their computer system for about 2 weeks. The company found that the unauthorized access to the computer system started on March 7, 2022, and continued until March 21, 2022. The company informed all individuals impacted by the breach. A class action lawsuit was filed against Shield Healthcare Group, alleging the company should have done more to avoid the risk of the breach. Some actions an organization could undergo to mitigate risk of Ransomware attacks are:
Another incident was at the Northwestern Medical center, where an unauthorized employee accessed the protected personal information of patients without authorization, including names, birthdates, Social Security numbers and medical histories. The medical center computer system was breached multiple times between May 21, 2021, and June 10, 2022. A class action lawsuit was filed against Northwestern Medicine and one of its vendors, alleging that they failed to guard sensitive data from the breach.
Since this is the case when an unauthorized employee accesses the protected data, proper authorizations should have been in place. Here are some key recommendations to mitigate risk of unauthorized access to data.
A different type of incident was that of Trident health care, where the attacker obtained physical access on April 17, 2022, to a set of hard drives and other equipment. It was classified as theft and the breach included information regarding names, dates of birth and social security numbers. The breach affected about 6000 people. Local law enforcement was informed, and the impacted individuals were asked to remain vigilant by checking credit reports and account statements.
The incident to physical access to the facility could be prevented by implementing strong physical safeguards to secure the premises.
However, surprisingly, this wasn’t the only data breach that resulted from physical theft. The largest data breach this year was that of SAC Health, where paper records containing names, addresses, dates of birth, and diagnosis codes of patients were stolen. About 150,000 people were impacted and were notified on May 3, 2022. The Lyon firm, a legal firm, is working on a class action lawsuit against SAC health.
Tips to mitigate risk of physical security threats:
Another incident that could further exemplify this is from the Teamsters Local 812 Retirement Fund, where horizon actuarial, who was providing technical services to the Retirement Fund, was found in November of last year to be a subject of a ransomware attack. Horizon paid a ransom to delete the stolen data. On March 24th of this year, Horizon revealed that about 8152 members of the Retirement Fund had had their information compromised.
It can also be gleaned from the figure above that the entity that is most likely to undergo a breach is the healthcare provider. However, this chart also shows that other entities, such as business associates, are far from safe.
In 2022, the risk of data breaches for healthcare providers and business associates continues to grow. Those who have undergone cyberattacks could face litigation, ransomware attacks, or stolen property. There are suggested actions that have been detailed throughout this article that can be used to address such risks.