Healthcare Data Breaches

With at least six weeks before final numbers are in, the Department of Health and Human Services HIPAA Breach Reporting Tool website is reporting 713 major healthcare data breaches in 2021, an increase of more than 7.5 percent.

By the Numbers: Major Healthcare Data Breaches Increase in 2021

Protected health information (PHI) from more than 45.7 million patient records was affected by a major healthcare data breach in 2021. This is the second-largest number of records reported breached on the government site since 2015. The 2015 total included the largest single healthcare data breach on record – health insurer Anthem’s 77.8 million individuals.

Besides the start of the global pandemic, the year 2019 marked the beginning of a precipitous jump in major healthcare data breaches reported on the “Wall of Shame.” The 2021 breach total nearly doubled the number of breaches in 2018.

Cybercrimes are Leading Cause of Major Healthcare Data Breaches in 2021

The HHS website data confirms the near-exponential increase in cybercrimes resulting from healthcare data breaches. At least 526 of the 713 breaches reported in 2021 were categorized as Hacking/IT Incidents. 

These incidents accounted for 94 percent of the total records breached – a staggering 43.1 million records in 2021.

Healthcare providers and business associates seem to be getting the message regarding encrypting and protecting electronic devices and computers. Only 16 of these breaches affecting less than 100,000 patients were reported in 2021. This represents a dramatic reduction from years past when lost or stolen devices were one of the largest contributing factors to healthcare data breaches.

Let’s Simplify Compliance

Learn how to protect your business from breaches in our upcoming webinar!

Sign Up!
HIPAA Seal of Compliance

Trends of Major Healthcare Data Breaches Continue in 2022

The bad news is that the upward trend appears to show no signs of slowing down in 2022. The year opened with south Florida-based Broward Health reporting a hacking and data exfiltration attack that may have compromised as many as 1.3 million patient records. 

The Identity Theft Resource Center (ITRC) is a national nonprofit organization established to empower and guide consumers, victims, businesses, and governments to minimize risk and mitigate the impact of identity compromise and crime. 

The organization’s 2021 Annual Data Breach report issued on January 24, 2022, found data compromises across all industries increased 68 percent over 2020’s total. Other findings in the report included:

  • Ransomware-related data breaches have doubled in each of the past two years. At the current rate, ransomware attacks will surpass phishing as the number one root cause of data compromises in 2022.
  • There were more cyberattack-related data compromises (1,603) in 2021 than all data compromises in 2020 (1,108).
  • Compromises increased year-over-year (YoY) in every primary sector except the Military – where there were no data breaches publicly disclosed. 

“There is no reason to believe the level of data compromises will suddenly decline in 2022,” said Eva Velasquez, ITRC President and CEO. “As organizations of all sizes struggle to defend the data they hold, it is essential that everyone practice good cyber-hygiene to protect themselves and their loved ones from these crimes.”

Velasquez also notes the report reflected a shift in the identity crime space.

“Too many people found themselves in between criminals and organizations that hold consumer information. We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud. The number of breaches in 2021 was alarming,” said Velasquez

“Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

Security experts say that the bar for successful hacking may have lowered over the past few years with innovations such as Ransomware-as-a-Service (RaaS) and artificial intelligence. Cybercriminals can now successfully complete their criminal acts online without the level of knowledge and understanding needed previously.

Compliancy Group Vice President of Partner Engagement & Cybersecurity points out that hackers and other cybercriminals are not simply mischievous teenagers playing around.

“Cybercriminality is the 13th largest sector of the global economy. On the dark web, you can apply for very lucrative jobs such as ransomware engineer and receive packages that include insurance, 401k, paid vacation, etc. It’s a career that STARTS at 200k,” said Redding.

“On the flip side of this coin, you have the emergence of hack-as-a-service solutions that you can basically pay to have someone attack whomever you want for you – you just sit back and wait for the attacker to deliver whatever you sent them to steal for you.”

James E. Lee, Chief Operating Officer at ITRC, says healthcare providers, business associates, and other businesses may want to consider adding cyber liability insurance as an added defense against threat actors.

“For businesses, cyber insurance is a good investment given an “average” data breach costs businesses more than $9 million, according to IBM,” said Lee. 

“The ITRC’s data shows small businesses stand to lose hundreds of thousands of dollars up to as much as $1 million, which is costs most small businesses cannot easily absorb. Cyber insurance can certainly lessen the blow.”

HIPAA compliance is one current tool utilized by the federal government to help protect the privacy and security of patient PHI and ePHI. Lee says lawmakers can and must do more to expand on current regulations to protect businesses and consumers.

“The ITRC has testified before the U.S. Senate that there are steps that can help reduce the number and impact of cybercrimes,” said Lee. “For example, adopting minimum cybersecurity and data privacy standards at the federal level of government can help reduce the number and impact of data breaches.”

Redding warns that the consequences for failing to act can be measured in lives as well as dollars.

“We are engaged in a very large-scale shadow war with nation-states like China and North Korea who incentivize criminal organizations in their respective countries to attack American infrastructure,” said Redding. 

“Healthcare as a whole is a very attractive target to these groups. If I can ransomware a hospital and shut down their critical systems, people are going to die, and chaos ensues. Sometimes, this is the actual goal – not the ransom, but the attack itself.”