Health care data breaches hit 1 in 3 Americans last year: Is your data vulnerable?
Patients were inundated with spam texts and other annoyances after the massive HCA Healthcare data hack disclosed last July compromised the records of more than 11 million people.
A Florida resident learned through a credit monitoring service that his personal information had turned up on dark web forums. He had to swap out credit and debit cards after fraudulent charges surfaced, according to a federal lawsuit.
A Richmond, Virginia, mom, who'd given birth to triplets in September 2022, received data breach notices addressed to herself and one of her three infants. Since then, she’s received “suspicious medical bills” the hospital has been unable to explain, according to the same class action suit.
The HCA theft was the largest hospital breach in 2023, a year in which about 1 in 3 Americans were affected by health-related data breaches. The number of attacks has surged in recent years. They've typically been carried out by organized hackers, often operating overseas, who target the computer systems of health providers and the vendors and companies that serve them. Most of the largest hacks targeted vendors who bill, mail or provide other services for hospitals, doctors and other health providers.
Last year, a record 133 million health records were exposed in data breaches mainly carried out by hackers who've attacked health providers and their vendors, infiltrated computer systems and demanded ransom or other payments. An average of two health data hacks or thefts of at least 500 records were carried out daily last year in the United States, according to an analysis by The HIPAA Journal.
The health care industry has sought to bolster its defenses against these sophisticated hacks with some success.
These now-routine attacks can hassle consumers and their families must monitor their credit histories with credit-reporting agencies. In the worst cases, bad actors use or sell personal identifying information to credit and debit card fraudsters who open accounts in the victims' names, leaving a digital trail that can take years for victims to clear.
The HCA theft targeted an external storage system for the Nashville, Tennessee-based company, a hospital chain with locations in 20 states. This system contained patient names, addresses, emails, phone numbers, dates of birth and genders of patients along with dates and locations they'd received service. No health data, such as diagnoses or conditions, was stolen, HCA officials said.
Attorneys for 15 victims said in court documents filed Feb. 2 at the U.S. District Court in Nashville that they "seek to hold HCA responsible" for the data hack "due to its impermissibly inadequate data security measures."
HCA has not yet responded to the filing, which seeks class-action status, but a representative said the health provider would respond in court. The official defended the hospital chain's efforts to improve its cyber defenses.
"HCA Healthcare has several robust security strategies, systems and protocols in place to help protect data," said Harlow Sumerford, HCA's spokesperson. "Not publicly discussing the details of our security measures is part of our overall protection strategy."
Sabita Soneji, one of the lawyers representing HCA patients whose identifying information was accessed, said the victims have "good reason to be worried" because the breach puts them at risk for identity theft, fraud and scams.
"If you're going to be in the business of collecting (personal) data, you better take care of it," Soneji said.
Health care hacks set new record in 2023
Government regulators who enforce data privacy laws have tracked a record number of major data hacks.
Health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, must notify the Department of Health and Human Services and individuals if their health information has been breached.
The HHS Office of Civil Rights, which oversees how companies protect health data, requires that health providers report breaches of protected health information. The agency investigates whether the breaches involve violations of health information privacy and security laws and publicly reports attacks that affect 500 or more on its website.
Last year, HHS reported the highest number ever of major health data hacks: 725, and people impacted by those hacks: 133 million. Those numbers eclipsed the previous record in 2015 when hackers targeted the health insurance giant Anthem. The Anthem attack remains the largest-ever health data breach. In that electronic heist, hackers accessed names, Social Security and medical identification numbers, addresses, dates of birth, emails and employment information of more than 78 million people.
Experts say last year's figures show the changing nature of such attacks, as hackers increasingly target businesses that handle health information but don't provide direct care to patients.
Of the top 20 hacks in which 1 million or more records were accessed last year, the vast majority targeted businesses that provide services to hospitals and health providers, said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.
Perry Johnson & Associates (PJ&A), a Henderson, Nevada, company that transcribes medical notes on behalf of hospitals, doctors and other health providers, reported a data breach last year that affected nearly 9 million, according to a November filing with HHS.
However, other notices suggest the PJ&A data breach might be larger. That hack breached information from health providers such as Northwell Health of New York, Concentra Health Services of Texas and Cook County Health.
In an updated notice filed this month with the Maine attorney general, PJ&A said the data hack spanned from March 27 through May 2 and affected the records of 13.3 million people, which would make it the largest hack of 2023.
New York Attorney General Letitia James urged 4 million New York City and Syracuse-area residents affected by the PJ&A breach to take steps such as credit monitoring and placing a fraud alert on credit reports. She also encouraged affected individuals to obtain copies of their medical records, contest unrecognized medical bills and inform their health insurers about the hack.
PJ&A representatives did not respond on Friday to questions from USA TODAY about the hack.
Riggi, of the American Hospital Association, said third-party data breaches are particularly challenging for hospitals and other health providers to police. HIPAA requires that hospitals and health providers ensure that the companies handling their health records do so in a secure manner.
"It's virtually impossible in this day and age of highly complex networks and software to ensure our third parties meet all the security standards," Riggi said. "Hospitals don't have control or visibility into their networks. We have to take their word that they patched their liability."
Even Medicare was targeted by hackers
The federal, state and local government has not been immune to such data intrusions. Last July, the Centers for Medicare & Medicaid Services announced a breach that compromised the records of 2.3 million beneficiaries. The hack targeted MOVEit Transfer, a software program by the computer network of the Medicare contractor Maximus Federal Services Inc.
The MOVEit Transfer software hack was first disclosed by the software manufacturer Progress Software Corp. The hack ultimately affected tens of millions of people across more than 2,000 companies, government agencies and universities, according to an analysis by the data security company Emsisoft.
Federal investigators determined that a Russian ransomware group called Clop was able to exploit a vulnerability in the MOVEit software program in a wide-ranging attack.
"Through that one vulnerability across government and all types of private sector industries, including health care, they were able to access millions and millions of health care records," Riggi said.
Ransomware organizations wreaking havoc
These organized hacks are often carried out by criminal organizations seeking to profit from these attacks.
In recent years, hackers have disrupted hospital and health care systems in ransomware attacks. As the name implies, hackers take control of a hospital's data systems and demand a ransom payment for the return of control. Ransomware attacks more than doubled from 2016 through 2021, according to a study published in JAMA Health Forum.
Criminal organizations are also branching out and trying new strategies to make money, said Charles Henderson, global head of IBM Security X-Force, which provides threat intelligence and data security services.
Among their tactics: They demand ransom, threatening to release or sell personal identifying information of a health system's patients.
"They're figuring out that certain monetization strategies are more lucrative than others," Henderson said.
Other cybersecurity experts said the health care industry has been a popular target because it has transformed from a pen-and-paper orders and records to one that increasingly relies on software systems for electronic health records and remote communication with advent of telehealth services.
The hackers likely have view hospitals and doctors – and especially vendors who serve these health providers – as "soft targets," said Anurag Lal, president & CEO of Infinite Convergence Solutions, which provides secure messaging services.
While the health care industry has been slow to make the type of investment in computer security necessary to repel hackers, Lal said, there are signs the industry is catching up: "The hospitals and health care entities that recognize (modern hacking threats), understand it and get up and do something about it are the ones who will be in the best position to get past this current situation."
Ken Alltucker is on X, formerly Twitter, at @kalltucker, or can be emailed at [email protected].
This article originally appeared on USA TODAY: Health data breaches hit new record in 2023