Defending against the exploitation of data privacy in healthcare

Epidemic of Healthcare Data Breaches – A Prescription Instead of a Postmortem

September 2024 was a banner month for threat actors attacking the healthcare sector of the American economy.  Attacks resulting in the exposure of hundreds of thousands of individuals’ sensitive medical and financial information have occurred in a remarkably short time.  In just the space of a few weeks in September, the following data breaches were reported:

September 5 – Delta Health Systems hacked via phishing scheme

September 13 – Atrium Health hacked via phishing scheme

September 17 – Sono Bello hacked via Business Email Compromise (BEC)

September 18 – Mount Carmel Behavioral Healthcare hacked via Business Email Compromise (BEC)

September 19 – MedReview still seeking answers on “inadvertent data disclosure”

September 23 – Choice Specialty Pharmacy hacked via a suspected third-party vendor vulnerability

Sadly, this is not an exhaustive list of the breaches occurring just in September alone.

Clearly, there is something about the healthcare industry that makes it an irresistible target for hackers.  The obvious attraction is the richness of the personally identifiable information (PII) and protected health information (PHI) that is routinely collected by healthcare providers.  Healthcare by definition requires the gathering of both highly personal medical information as well as sensitive financial data.  As such, the value of this type of hacked data on the black market is very high and represents enormous profit potential for thieves.  It is also very specific personal data that is particularly well-suited to use in crafting the highly contextual messages used in the generation of phishing and other social engineering schemes.

Victims of healthcare data theft have reported various attempts at identity theft, including unauthorized charges on bank accounts or credit cards, fraudulent credit card applications, medical or government services ordered in their name, their information being sold on the dark web, and a significant increase in spam texts, calls, and emails.  The hacked healthcare organizations are like chum in the water causing a feeding frenzy of class action lawsuits which will almost certainly result in painful settlements to be paid by breached healthcare organizations as well as lasting damage to their reputations.

While it is true that data breaches are a scourge affecting all industries, research reveals that healthcare is sustaining an outsized share of the pain.  Data collected by the US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) reveals an eye-popping 5,887 large healthcare data breaches between October 2009 when OCR began publishing the summaries of data breach reports on its “Wall of Shame”, and today.  The following graphic from the HIPAA Journal Healthcare Data Breach Statistics illustrates the growth vector of attacks against the industry.  (Note that the 2024 figure is not complete as the year is not yet over.)

Healthcare Data Breaches of more than 500+ records 2009-2024

Rather than producing a postmortem of each of these incidents, this document examines the scope of the threat facing healthcare providers in the US and provides insight into the causes of data breaches.  It delves into how healthcare has responded to the threat – what has been effective and what clearly has not been.  It will examine the consequences and ramifications of the providers who are breached.  Most importantly, the document will offer a prescription for curing the condition facing this industry. 

Evidence of Healthcare Data Breaches Metastasizing Through Industry

Like a deadly pathogen, social engineering attacks are coursing through the healthcare industry.  Not only has the number of individual breaches accelerated in the last five to ten years.  But the scope of the damage is growing precipitously.  That is, each subsequent breach seems to expose higher numbers of individuals’ private records as reported to the OCR.   According to OCR data, between 2009 and 2023 data breaches have resulted in unauthorized exposure of nearly 520,000,000 healthcare records.  That is equivalent to greater than one and a half times the entire population of the United States!

The graphic below shows the unmistakable vector of increasing numbers of individuals affected.

Until 2023, the record number of persons affected by healthcare data breaches was set in 2015 when behemoth healthcare insurance providers Anthem, Premera Blue Cross and Excellus were all breached.  As is often the case, the data exfiltrated in one incident is used by threat actors to perpetrate attacks on other similar organizations where there may be significant overlap between individual users, delivering a snowball effect on the industry.  This may be one of the factors lifting the median data breach size in more recent years. 

All the above charts suggest that 2024 will be a year that surpasses
the previous record set in 2023.  So far in 2024, 387 data breaches of 500 or more records were reported to OCR, which represents an 8.4% increase from 2023, and a 9.3% increase from 2022.  And, as is typical with data breach events, the initial estimates of the damage are not accurate.  The numbers of those individuals affected almost
always increases considerably as the investigations wind through their process and reveal the true extent of the system penetration and data exfiltration. Each attack yields a different cross section of PII and PHI depending on which databases were compromised. 
Investigations over time reveal a more complete rendering of just what types of PII and PHI were stolen.  Though, most of the following are commonly included.  

  • Contact information such as names, addresses, phone numbers, and email addresses
  • Dates of birth
  • Social Security Numbers or U.S. Alien Registration Numbers
  • Driver’s license numbers or state ID numbers
  • Financial account information 
  • Medical and health insurance information, including treatment/diagnosis information, prescription information, provider name, medical records, and more. 
  • Salary ranges
  • 401(k) account balances

Unsecured External Data Fuels the Epidemic of Healthcare Data Breaches

Mirroring the causes of data breaches across all other industries, hacking is far and away the predominant path for the loss of data.  And social engineering – Phishing/Spear Phishing, Business Email Compromise, Smishing and other forms like ransomware – is behind the majority of hacking attacks due to its remarkable efficacy and low labor-intensity.  According to the 2024 Verizon Data Breach Investigations Report (DBIR), nearly seven in ten breaches involve social engineering. 

The ready availability of unsecured external data (much of which is sourced via prior breaches and resold on the dark web or laundered and resold by unscrupulous Data Brokers) makes this the lowest effort-highest return activity for threat actors.  The OCR data visualized below illustrates the extent to which hacking is to blame for healthcare data breaches.

HIPAA data supports this assessment too, clearly illustrating the predominance of social engineering/hacking as the primary vector for threat actors targeting healthcare industries. 

The numbers of unwanted exposures track concomitantly with the causes of breaches.

Potentially Terminal Consequences of Data Privacy Failures

There are myriad negative consequences arising from being victimized by a data breach incident.  Forrester research’s State of Data Security 2024 report published findings detailing the consequences experienced by organizations suffering a data breach.  In order of frequency – from the most experienced to the least – Forrester reveals the full array of negative aftereffects of allowing cyberattacks against information systems to succeed.

The most reported effect, interruption of business process(es) is just the preliminary pain as critical systems are taken offline while the intrusion is repelled, and investigation is performed.  As the scope of the damage is revealed, other mid-term repercussions commonly experienced include data manipulation, increased cyber insurance costs, and extortion/ransom of sensitive data.  Longer tail consequences commonly include reductions in new customer acquisition, denial of service, theft of money, the flight of business partners and the loss of existing clientele among other negative results.

Not represented in the Forrester research, but still a very real and present danger to long-term operational prospects comes from the exposure to legal action.  Legal actions against breached healthcare industry organizations often take months to years to develop and wind through the legal system.  Whether they are individual suits brought by business partners harmed in the breach or class actions brought by thousands of individuals whose data was absconded, these lawsuits often result in hefty judgments and can be accompanied by fines and penalties handed down by government and regulatory authorities.

Some Examples of the Cost of Healthcare Data Breaches

IBM’s Data Breach Report confirms that, of the top five most frequently breached industry sectors, the costs of a healthcare data breach are many times higher than the other four.

For practical purposes, here are some recent, real-world examples of healthcare data breaches and what they ended up costing the victim organizations.

Med-Data, a vendor proving revenue cycle management services, medical billing, workers’ comp and other services to healthcare providers and health plans,  recently settled a data breach lawsuit for $7 Million.   The $7 million settlement was handed down to resolve all claims stemming from a data breach between 2018 and 2019 involving the PHI of at least 136,000 individuals.   The settlement itself is only part of the cost incurred as there are undisclosed figures representing the legal defense costs incurred to arrive at what is considered an acceptable compromise between the class action and the plaintiff organization.

Change Healthcare – In February 2024, a ransomware attack aimed at Change Healthcare allowed the PHI of one in every three Americans to fall into unauthorized hands.  Change Healthcare, a health payment processing company, had recently been acquired by health insurance giant UnitedHealth Group in 2022 for $13 billion after what by all accounts was a lengthy and costly legal battle with the Justice Department.  The basis of the legal battle focused on (among other things) the American Hospital Association’s concerns that the deal would dangerously consolidate healthcare data.

Nevertheless, the costly legal battle concluded and acquisition deal went through.  A short couple of years later, more than 6TB of data was stolen in the February 2024 hack.  UnitedHealth Group’s first quarter earnings report estimated total losses stemming from the cyber attack to be $1.6 billion by the end of 2024.  At the end of the second quarter, the estimate had risen to between $2.3billion and $2.45 billion.  As of the writing of this paper in late October 2024, that estimated number currently sits at $2.87 billion and is likely to be revised higher as time passes.  The executive leadership of UnitedHealth Group has had to appear before the US Senate to explain this failure.

These two examples are but a small sample of what the costs look like in real time.  And these costs don’t just derive from remediation and lawsuits.

Add to the costs of mitigating data breaches, the cost of fines and penalties for HIPAA violations when PHI is lost or exposed by breach is also very significant.  See the total HIPAA settlement and civil penalty figures below from the Healthcare Data Breach Statistics report from the HIPAA Journal which contains dozens of other eye-opening charts and figures which are worth reviewing.

How the Healthcare Industry is Responding to Data Breach Threats

Once again, Forrester research from their State of Data Security 2024 report provides insight into the mainstream thinking among all industries grappling with cyber crime and data security.  The most common response to the question, “Which of the following has your organization done in response to the breach(es) you’ve experienced in the past 10 months” was the rather broad answer, “increasing spending on new technologies or services for incident response”.  Which demonstrates a lack of awareness of how to truly address the problem.  Incident response is a reactive proposition.

Subsequent responses included increased spending on new tech for detection, new tech for protection, new tech for recovery and so forth.  Others further down the list referred to adding or switching IT vendors, including multifactor authentication, and additional employee training etc.

Additionally, respondents seemed to rely heavily on data security solutions from Google, Microsoft and to a lesser extent third-party data management and security solutions such as data loss prevention solutions.  All of which have proven to be of very limited utility when it comes to successfully guarding against social engineering.  None of which offer any capabilities addressing the identification and management of unsecured external data.

Healthcare Organization Heal Thyself – Embrace External Data Privacy Management

Privacy Bee for Business offers a White Paper titled, “Why Active External Data Privacy Mitigation Post Breach is Superior to Passive Credit Monitoring”.  That paper illustrates how all the reactive strategies used by organizations today are akin to applying a band aid to a sucking chest wound.  In the absence of muscular and intelligent methodologies for identifying and eliminating all the unsecured external data used by threat actors to perpetrate their routinely successful social engineering attacks, none of the post-breach responses mentioned in the Forrester report above can be effective.

For a cost-per-user that falls somewhere in the mid-range of costs to employ reactive, post-breach credit monitoring services, (and well below the costs associated with changing cyber security providers and technologies wholesale) a breached organization can instead offer highly effective external data privacy management to their workforce and to all those working within any third-party vendors like medical billing companies and clearinghouses. 

Privacy Bee for Business delivers a number of potent audits and scans like the External Data Privacy Audit and Privacy Risk Assessment which an organization can utilize at no cost.  Doing so provides immediate and eye-opening visibility into the level of risk an organization is exposed to by unsecured external data.  Once it becomes apparent the extent to which these risks and threats exist, the cost of applying the Privacy Bee for Business platform for all relevant internal resources (as well as for those within active third-party vendor organizations) is routinely seen as nominal. 

Interrupt the Exploitation of External Data

The Privacy Bee Business Platform is designed to cast a protective shield over an entire organization.  This includes all employees, their families, contractors, freelancers and even employees of vendors with whom your systems may integrate. 

Containment

With a burgeoning database of thousands of data brokers, People Search Sites and other data aggregation sources, Privacy Bee Business service works to scrub your employees data from all major data brokerages, People Search Sites, etc. and then takes the additional step of cleaning up any previously exposed information from major search engines. 

Employee Risk Management dashboards allow an organization to set minimum thresholds for exposure – the Employee Risk Score – and then provide visualizers to monitor each employee’s risk profile.  Keeping the entire staff within acceptable tolerances helps safeguard your organization against targeted attacks. 

External Data Privacy Audit discovers and analyzes data exposures for your employees and also for your vendors.  Another centralized dashboard helps keep close tabs on external data exposure and the impacts this has on productivity.  The application performs financial risk assessments to deliver estimated costs of external exposures.  The dashboard provides metrics such as “Company Risk Scores”, “At-Risk Vendors”, “At Risk Employees”, “Top Exposure Sources” and others.  These External Data Privacy metrics support active, quantifiable governance over risk tolerances and deliver a concrete method for measuring progress as you reduce the organization’s external data risk.

Vendor Risk Management delivers control over vendor access to external company data and allows an organization to enforce its information security policies by extending them over the vendor organization as well.  Dashboards for Vendor Risk Management display Vendor Risk Scoring, and allow you to set a minimum vendor score.  If any vendor cannot meet the minimum security threshold, they can be removed or suspended until they mitigate the identified risk to attain compliance with your policy.   

Privacy Bee Business sets up 24/7/365 privacy monitring and delivers a configurable interface for organizations to make and enforce compliance with privacy choices.  This includes

Where are the Weak Points?

You cannot manage what you cannot measure.  Privacy Bee for Business helps organizations serious about External Data and Vendor Risk Management identify the unknown unknowns of their risk profile.  Begin today with an External Data Privacy Audit and then learn more about the entire suite of solutions to protect your organization against risks and threats to your operations.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: