Hacks on hospital records are surging. Here's why your medical data is vulnerable.
In November 2021, Southern Ohio Medical Center diverted ambulances and canceled appointments after hackers gained access to the hospital's computer systems.
The two-day cyberattack temporarily took down the mid-sized nonprofit's electronic medical records and disrupted units such as cardiovascular catherization, cancer care, outpatient surgeries and rehabilitation. In all, the hospital reported the hackers breached records of more than 15,000 individuals.
The attack is an example of a growing trend of hackers seeking to disrupt health care or compromise the medical and personal records of tens of millions of people every year in search of profit. Since 2021, one gang demanded and extracted over $100 million in ransom from hospitals and other businesses.
The number of attacks has surged since 2019 with organized hackers, often located overseas, infiltrating the computer systems of health providers, locking up critical files and disrupting care. The trend underscores why hospitals and health companies must upgrade systems to repel these attacks that can delay care, jeopardize patient safety and cost millions to recover from, experts say.
Meanwhile, who hackers are going after is changing. No longer content with stealing data from large companies, attackers are increasingly targeting large metro and small rural hospitals as well as third-party suppliers who bill, mail or provide outsourced services for large health companies.
A database maintained by the U.S. Department of Health and Human Services shows health care’s most recognizable brands have had significant data breaches – some repeatedly.
The companies whose data breaches have affected the most people since 2010 – more than 122 million people – are Anthem, Optum, Premera Blue Cross, Community Health Systems and LabCorp, according to a USA TODAY analysis of HHS data.
Blue Cross Blue Shield affiliates reported the most data breaches – 26 – since 2010, the analysis showed. Kaiser Foundation Health Plan had 20 breaches, followed by Walgreen Co. at 18, and Aetna and Humana both with 17.
Anthem, which has been renamed Elevance Health, operates Blue Cross Blue Shield health plans in 14 states and has reported 11 data breaches since 2010. Anthem was the target of the largest-ever health breach in 2015 where hackers accessed names, Social security and medical identification numbers, addresses, dates of birth, emails and employment information of 78.8 million people.
Eight of Anthem's 11 data breaches came after the large 2015 cyberattack, and all affected far fewer individuals. The company has since paid millions of dollars to the federal government for potential violations of HIPAA protections, as well as millions more to settle with states.
[Has your data been stolen or exposed? Find out if your health care provider has had a data breach by entering the company's name in this database here and click "Search."]
"It's definitely a crime of opportunity," said Hannah Neprash, an assistant professor of health policy and management at the University of Minnesota.
A surge in cases during the COVID-19 pandemic "was no coincidence," she said. "It was very much a conscious decision on the part of ransomware actors to take advantage of the fact that the health care system was pretty overwhelmed."
The FBI has sought to counter the attacks carried out by international thieves and has had some success. Still, the responsibility for repelling the attacks rests with hospitals, health insurers and other health entities who must build robust defenses.
'Targets who can't fight back'
Health care was slow to adopt computerized records. But a push to switch from pen and paper records to computerized systems accelerated after a federal stimulus bill passed in 2009, which provided lucrative payments to hospitals and other health-related entities that digitalized patient records.
As of 2021, 96% of conventional hospitals had electronic heath records, though rates were slightly lower for psychiatric and other specialty hospitals, according to HealthIT.gov.
The switch created a rich target for hackers, experts say.
The federal government’s efforts “created a tremendous amount of cyber risk exposure with all this technology that was deployed,” said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk. “So now we're left with the responsibility to protect the networks and technology that we were incentivized to implement by the federal government.”
The nature of these attacks has also changed.
A decade ago, hackers were more likely to steal personal data, such as Social Security or credit card numbers, and sell that information on the black market. Now, they are increasingly demanding ransom payments from hospitals and other health providers.
A study published in JAMA Health Forum found this type of data breach called ransomware more than doubled from 2016 through 2021, jumping from 43 to 91 and exposing personal health information of 42 million people. Almost half of those attacks disrupted health care services when electronic systems were shut down, appointments canceled or ambulances diverted.
The hackers are savvy and do not discriminate, with some attacking large, seemingly lucrative health organizations while others target smaller hospitals and health companies who may be easier to go after.
"The concept is to lock up a computer and you could extort money as a result," said Charles Henderson, global head of IBM Security X-Force, which provides threat intelligence and data security services. "If you look at business strategy of organized crime, they look for targets who can't fight back, who can't afford to not pay."
Anxiety, depression and PTSD: The hidden epidemic of data breaches and cyber crimes
Hackers cause 80% of health data breaches
Government regulators who enforce data privacy laws have been overwhelmed by the surge in cases.
The HHS Office of Civil Rights, which oversees how companies protect health data, had a 69% jump in cases since 2017. Of the more than 51,000 complaints the agency fielded in 2022, two-thirds involved violations of health information privacy and security laws.
The workload increased so much that the agency last month announced it has reorganized functions and created a division called Health Information Privacy, Data, and Cybersecurity. OCR Director Melanie Fontes Rainer said the reorganization should improve the the agency's "ability to effectively respond to complaints."
The agency's funding has been flat for the past two decades, which has challenged the agency to keep pace with higher work volumes, said Rachel Seeger, a spokeswoman for the Office of Civil Rights.
"While settlements have been a source of funds in the past, this amount is dwindling as the civil monetary penalties were capped in the Trump administration, something for which OCR is working on a legislative fix," she said.
Health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, must notify the Department of Health and Human Services and individuals when their health information is breached. The agency then investigates to learn the scope of the breach and whether the entities properly safeguarded the information. If not, they could face big fines.
The agency publicly reports data breaches of protected health information affecting 500 or more people. Those large breaches increased from 663 in 2020 to 714 in 2021. Hacking accounts for 80% of the large breaches the federal agency has received. Other data breaches are the result of health entity miscues such as improper disposal of data, unauthorized access or theft of records.
The agency's reorganization aims to streamline cases and assign investigators to their areas of expertise. Under the old structure, cases could take years to resolve.
For example, Phoenix-based Banner Health reported a data hack in 2016 that exposed the health information of 2.8 million people. Federal investigators said Banner didn't analyze risks and vulnerabilities, insufficiently monitored its health information systems, and failed to implement security measures to protect health data.
The health system agreed to settle these potential violations and pay a $1.25 million penalty. The case took over six years to resolve.
When investigating a data breach, regulators evaluate factors such as the size of the data breach and any physical or financial harm from such incidents, said Nick Heesters, senior adviser for cybersecurity at the HHS Office of Civil Rights.
A provider with repeated data breaches might face a more significant fine.
"That's one of the factors," Heesters said. "That's in the rules that OCR needs to consider when we're assessing those penalties."
After the attack on Anthem in 2015 that exposed the electronic health information of 78.8 million people, the insurer paid $16 million to HHS Office for Civil Rights and agreed to take corrective action to settle potential HIPAA violations. The company also paid $39.5 million to settle claims with attorneys general in 43 states.
In a statement, parent company Elevance Health said the company "takes the security of its data and the personal information of consumers seriously and is committed to safeguarding PHI (protected health information) and PII (personally identifiable information), while adapting to the evolving health care information security environment."
But hospitals and other health entities need help from the federal government to counter cyberattacks carried out by gangs or individuals in nations such as Russia, North Korea and China, said Riggi, a FBI veteran and cybersecurity and counterterrorism expert.
He wants the U.S. to adopt similar tactics used to counter terrorism to conduct "foreign offensive operations" to go after the hackers.
"We can't defend against these bad guys on our own," Riggi said. "You need the government to go on offense as well."
IS YOUR DATA SAFE? See if your provider has been breached.
What's being done to protect data?
In January, the Justice Department announced the takedown of the Hive ransomware group that had targeted more than 1,500 victims, including hospitals, schools and businesses. One hospital had to use pen and paper records and halted new admissions during the COVID-19 pandemic
By entering Hive's computer systems, authorities captured encryption keys and gave them to 300 entities that were under attack. The Hive group had already extracted more than $100 million in ransom from victims around the globe, but a federal campaign halted its attempt to extort an additional $130 million, officials said.
The Justice Department did not announce any arrests nor did it reveal the location of the individuals behind the ransomware attacks.
In Anthem's 2015 attack, charges are pending against Fujie Wang, 36, of Shenzhen, China, and an unnamed accomplice. They were charged in 2019 but neither has ever appeared in court, according to a spokeswoman for the U.S. Attorney's Office in Indianapolis. Wang remains on the FBI's most wanted list.
The FBI field office in Indianapolis did not immediately answer questions about attempts to locate Wang.
Riggi said it's difficult to prosecute these cases because hackers are often located in nations unwilling to cooperate and extradite the individuals to the United States. That's why it's important to conduct an offensive such as the FBI's disruption of the Hive group, Riggi said.
Hospitals and health providers must also shore up their own defenses by training staff to be aware of such threats. These attacks often come from a phishing emails that count on an unwitting employee to click a link that delivers ransomware to the health system's computers.
To counter these attacks, hospitals and health companies have beefed up their own information technology staffs and turned to cybersecurity consultants to bolster defenses.
Henderson, of IBM, said sophisticated hospitals undergo training and scout for vulnerabilities. That might include reviewing potential entry points for hackers across the health system. Some hospitals are also doing mock attacks to see how well their system is prepared for the real thing.
He said hospitals and health providers will remain an attractive target for ransomware criminals because the systems are so important to deliver health care. If computer systems go down and care is delayed, that can be the difference between life and death.
"If you're looking for a target that's more likely to pay a large sum of money," Henderson said, "health care's got to be at the top of your list."
First it was blood pressure medication. Now FDA eyes more drugs for cancer-causing chemical.
COVID emergency: Here's why Medicaid coverage and free COVID tests, treatments will soon change
This article originally appeared on USA TODAY: As data breaches surge, your medical info is vulnerable to hackers
