• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Nearly 50 million Americans impacted by health data breaches in 2022

Article

The number of breaches dipped in the second half of the year, but the number of people affected rose sharply, according to a new report.

Nearly 50 million Americans were affected by data breaches involving health records in 2022.

That’s the disturbing figure from a new analysis released Wednesday by Critical Insight, a cybersecurity company.

The number of breaches actually dropped in the second half of 2022, the report found. There were 313 breaches from July through December, down from 345 in the first half of the year, a 9% decline.

However, even as the number of breaches dropped, more individuals were affected by those breaches in the latter part of the year.

There were 28.5 million Americans affected by breaches in the second half of 2022, compared to 21.1 million during the first six months of the year, which represents a 35% increase. In the last six months of the year, the average health data breach affected more than 91,000 individuals.

Health systems still have a lot of work to do to protect patient records from cyberattacks, said John DeLano, a co-author of the report and the vice president of ministry and support services at CHRISTUS Health.

“We feel like we've made some progress, because overall, the breach numbers are down,” he said. “But realistically, when you look at it, the number of records affected are up. And so that, to me, is the bigger problem.”

There were 658 breaches in 2022, down from 711 in 2021. The report found that 49.6 million Americans were affected by breaches in 2022, which actually represents a drop from 53.4 million in 2021.

Still, the impact of breaches has grown substantially in recent years. In 2020, 34.4 million Americans saw private information exposed in breaches. There were 662 breaches in 2020, which is virtually the same number as in 2022, but last year’s attacks and breaches affected 15 million more people.

(We talked with John Delano about the cybersecurity report in this video. The story continues below.)

More sophisticated attacks

Attackers are starting to shift some of their efforts to gain access to health records. While criminals are targeting hospitals and healthcare providers, they are also gaining access by going after the other businesses health systems rely on every day, including third-party vendors, accounting, billing and lawyers.

In the second half of the year, more records were exposed due to breaches occurring at business associates (48%) than at healthcare providers (47%).

Over the course of 2022, 71% of all health data breaches occurred in healthcare providers, while 17% of breaches were linked to business associates, and 12% of breaches came from health plans, according to the report.

Delano said healthcare organizations are paying more attention to the security of data being handled by third-party vendors and other business associates, and they are spelling out legal requirements to protect that patient information. But it’s a difficult task.

“It's hard for organizations, because we deal with a lot of third parties, we deal with a lot of business associates, and having the bandwidth to be able to periodically check in on them and make sure that they're treating your data the way you would treat it, becomes very difficult. And that's hard to maintain,” Delano said.

Attackers did their most damage by obtaining records from network servers, according to the report.

“Network servers were the jackpot for hackers,” accounting for 90% of the records that were breached, according to the report.

Attackers are apparently finding more success in gaining access to electronic medical records, the report states. While breaches involving electronic medical records were nonexistent in the past, the report said 7% of breaches involved EMRs in the first half of the year, and 4% of breaches in the last six months of 2022. For the year, 6 million patient records were exposed due to EMR-related breaches, according to the report..

“When you've got a database of records that could span 10 or 15 years, you're going to have a lot of patients that are impacted,” Delano said.

Some breaches are becoming more damaging because attackers are getting more sophisticated.

In the past, health systems built defenses against “script kiddies, people that just kind of Googled how to hack something, and they're looking for commonly known vulnerabilities, but they don't really know what they're doing,” Delano said.

Now, Delano said, “They're more sophisticated. And so, that is becoming a challenge, because it used to just be that you had to protect from some common known stuff, and now people are actually doing real hacking.”

Among the larger breaches of the year, CommonSpirit Health suffered a ransomware attack that impacted 600,000 patient records, the report noted. The system took its electronic medical records offline and had to reschedule some patient appointments.

Health systems still continue to see breaches occurring through email. In the second half of 2022, 20% of breaches occurred via email, which was down from 30% in the first half of the year.

“A lot of organizations do phishing campaigns, and I think that's helped,” Delano said. “Although phishing campaigns are getting more sophisticated as well. It used to be pretty easy to spot one now. Now it's a lot more difficult.”

‘You can’t do nothing’

Healthcare leaders need to be engaged in helping their systems improve their cybersecurity, Delano said.

“You can't make excuses,” he said. “You can't do nothing. So, start talking to your board, if you're not talking to your board, about the challenges, about the concerns. Make sure that your executives are aware of the challenges, aware of the threats. And, you know, don't sit on the sidelines.”

Ransomware attacks continue to frustrate hospitals and health systems. In a recent survey of healthcare IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021

Regal Medical Group, based in California, said last week that a ransomware cyberattack exposed patient information. More than 3 million people could have been affected, according to a database of breaches kept by the U.S. Department of Health & Human Services.

Delano said he was encouraged by the recent success of the FBI in disrupting the Hive ransomware gang, which has targeted hospitals and health systems. The Justice Department said last month that the FBI managed to penetrate Hive’s systems and thwart up to $130 million in ransom demands.

“Certainly a small healthcare organization’s not going to have the resources to combat that,” Delano said. “So getting the DOJ or the FBI involved, and helping to kind of work some of these gangs or criminal activity that's happening out there, is a benefit to everyone.”


Related Videos
Image credit: ©Shevchukandrey - stock.adobe.com
Image: Ron Southwick, Chief Healthcare Executive
Image credit: HIMSS
Related Content
Image credit: ©thodonal - stock.adobe.com

Why hospitals are joining nursing homes in fighting minimum staffing rules

April 24th 2024
Article

The federal government has finalized the first staffing standards for nursing homes. Long-term care facilities say the rule is unrealistic, and hospitals say it could limit post-acute care options.

Why preventive medicine needs more support | Healthy Bottom Line podcast

Why preventive medicine needs more support | Healthy Bottom Line podcast

April 16th 2024
Podcast

Mirza Rahman, president of the American College of Preventive Medicine, talks about the need for more federal support for residency programs and a greater appreciation for population health.

Image credit: ©Lightfield Studios - stock.adobe.com

Change Healthcare cyberattack: Many Americans could be affected, hospitals still hurting

April 24th 2024
Article

UnitedHealth Group says it could take months to identify all those impacted. The data breach is posing headaches for hospitals.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: ©chanawit - stock.adobe.com

Feds want hospitals, health providers to provide data on carbon emissions

April 23rd 2024
Article

The Centers for Medicare & Medicaid Services is aiming to create a voluntary program for hospitals to share information about their impact on the environment.

Image credit: ©zephyr_p - stock.adobe.com

Earth Day, hospitals and sustainability: 'We've seen the momentum change'

April 22nd 2024
Article

More hospitals and health systems are working to reduce their impact on the environment.

© 2024 MJH Life Sciences

All rights reserved.