More than 144 million Americans’ medical information was stolen or exposed last year in a record-breaking number of health care data breaches, a USA TODAY analysis of Health and Human Services data found.
After breaking records in 2023, the most significant breach hit in February when a ransomware attack targeted Change Healthcare, the nation’s largest health care payment system owned by UnitedHealth Group. The company handles a third of all patient records and processes 15 billion health care transactions a year, according to an HHS letter.
The COVID-19 pandemic accelerated the use of remote and third-party technologies, making the health care ecosystem more interconnected and vulnerable to cyberattacks, said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. These technologies can help deliver care to patients wherever they are, but they also give hackers broader access to health care systems and records.
Since 2019, data breaches targeting third-party vendors contracted by hospitals have more than tripled, growing at a significantly faster rate compared to attacks aimed directly at traditional health care providers, USA TODAY’s analysis of HHS data showed.
“The bad guys have figured it out,” Riggi said. “They realized, ‘Why hack 1,000 hospitals when I can hack the one common business associate and get all the data?’”
Cyberattacks on hospitals disrupt patient care and pose risks to patient safety. Surgeries are canceled or rescheduled. Patients and ambulances get diverted. Patients’ protected health information and personally identifiable information are exposed. When clearinghouses and health care payment systems are targeted, billing and payment issues can persist for months.
“It’s just going to get worse,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
Has your health information been exposed?
Federal law requires health care organizations to report to Health and Human Services any security breaches that expose patient information. Search by company name, breach type or company location to see if your health information has been compromised. Don’t see a searchable database? Click here.
What is the main cause of health care data breaches?
Cyberattacks aren’t uniquely a health care problem, but the industry is a major target because of the abundance of financially valuable personal information, said Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.
What to do:Here are steps you can take if your medical information has been stolen.
Hacking incidents are the most common type of health data breach, accounting for more than half of the cases going back to 2009, USA TODAY’s analysis found.
Ransomware attacks are becoming more common, Weiss said, where cybercriminals demand large sums of money to restore access to sensitive medical data. The health care industry is affected by ransomware attacks more than any other critical infrastructure sector, according to a 2023 internet crime report by the FBI.
Compared to other sectors, “health care is more inclined to pay because ultimately lives are at stake,” Weiss said.
“It’s a self-serving prophecy,” he said. “Because organizations are paying the ransoms, we’re seeing a very expected evolution in the increase in the number of attacks.”
Not all hospitals and health care organizations have enough money, technology and staff to protect themselves, Riggi said.
“The health care sector is woefully behind when it comes to resourcing cybersecurity and information security,” Weiss said.
“We’re really playing catch-up.”
What are the biggest health care data breaches?
Prior to the Change ransomware attack, the largest-ever health data breach occurred in 2015 when nearly 79 million Americans’ protected health information was exposed in an attack against health insurance giant Anthem, now named Elevance Health.
Anthem agreed to pay $16 million to the HHS’ Office for Civil Rights three years later, the largest settlement of its kind.
In 2023, HCA Healthcare, which operates 182 hospitals and thousands of health care facilities across 20 states, experienced the third-largest health data breach overall and the largest of the year. The attack compromised the personal information of more than 11 million patients.
The incident involved an external storage location, but no clinical information, payment details, or other sensitive information such as passwords or Social Security numbers were compromised, Harlow Sumerford, a spokesperson for the Nashville, Tennessee-based company, wrote in an emailed statement.
Asked whether HCA has plans to enhance its security posture, Sumerford said the company does not publicly discuss the details of security measures as part of the company’s overall protection strategy.
Following the Change Healthcare incident, lawmakers and regulators have directed increased attention toward proposing measures to safeguard health care organizations and ensure their financial stability, said Tom Leary, senior vice president and head of government relations at the Healthcare Information and Management Systems Society.
Some hospitals and health care organizations have also been increasing their cybersecurity budgets to better guard themselves against future attacks, Leary said, citing a 2023 cybersecurity survey report.
“This is a shared responsibility,” Riggi said. “Hospitals know we need to do our part to be better prepared to defend against and respond to attacks, but that alone will not solve the health care sector cyber crisis.”