Medical records in Indiana become a lucrative target for hackers: What to know

Binghui Huang, Indianapolis Star
Updated ·4 min read

Over the past six months the Community Health Network has had multiple cybersecurity breaches, informing patients that some of their private information had been exposed. Nor is the regional health system alone in its vulnerability; in recent years almost all of central Indiana's hospital systems have at some point warned patients their information may have been compromised.

Cyber attacks on hospitals have increased by nearly 50% since 2020, making the industry the biggest target, according to U.S. government data and a 2022 analysis from credit rating agency S&P.

Small private practices and independent hospitals have given way to regional and national health networks that hold data for millions of patients, making them a lucrative target for cyber criminals looking for big payouts. So much so that nearly half of hospitals have had to disconnect their networks at some point due to escalating ransomware attacks, according to a Philips/ Cyber MDX study.

The most recent example of that here occurred on Nov. 17 when Community Health Network posted that an email account had been hacked, exposing patient information.

The regional health system posted a notice of another breach over the summer, informing some patients that personal data, such as address, birthday, health insurance data, diagnosis and medical record data were exposed.

When asked for specifics regarding the breach, the health system referred to its published statements. It's unclear how many patients were impacted.

Over the summer, IU Health posted a similar warning to patients about a breach. In the last five years, Ascension, Franciscan and Eskenazi health systems all suffered from data hacks.

"We remind individuals to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity," Community Health Network wrote to patients on its website Nov. 17. "We also recommend that our patients and their families review the explanation of benefits statements, and follow up on any items not recognized."

While patients don't have control over these attacks, there is something they can do.

Patients are encouraged to ask about the storage and protection of their data, but should not withhold critical health information for fears that their data is not secure, said Eugene H. Spafford, a professor at Purdue University specializing in cybercrime and network security. Just as with credit cards and social media accounts, users would benefit from learning security best practices.

The risk of getting poor care from limited information is far greater than the risk of having medical information leaked, Spafford said.

"If people aren't honest and forthright, they aren't going to get the best care or the right care," he said. "The right response is to ask about the mechanism of data protection, maybe even raise the issue with elected representatives."

Hacks will likely cost the health system more

To adapt to the rise of cybercrime directed at hospitals, health care systems have invested more in security, experts said. In fact, most have a high-ranking executive in charge of data security.

An S&P financial analysis of the hacks found that while attacks on health systems are lucrative for cybercriminals, hospital administrators with huge budgets have largely swallowed these costs without long-term damage to the networks' financial health thanks to insurance coverage.

But that may change as attacks get more sophisticated.

Insurance companies are already refusing to cover large losses from cyber attacks, especially if the hospital system neglected to use best practices for security. Class action lawsuits filed by patients also put financial pressure on health systems. A Bloomberg analysis found that such lawsuits have doubled on a monthly basis this year compared to last.

Community Health Systems, a national chain that runs more than 70 hospitals and 1,000 other health offices and clinics that is unconnected to the Community Health Network based in Indianapolis, is being sued for a data breach that impacted some 1.2 million patients. Those filing the suit claim the company did not do enough to protect their data.

Eskenazi was sued in 2021 after a major hack. The health system notified 1.5 million current and former patients that cyber criminals gained access to patient health and financial information, according to court documents. Eskenazi did not pay the ransom and shared that the hackers released "a portion" of patient health information on the dark web. The case is in mediation.

Any system can be attacked. A good one prevents loss

While any health system could be susceptible to an attack, say through an employee clicking a bad link, hospitals can take steps to protect against significant loss of confidential data, Spafford said.

Some best practices are to encrypt patient data so that if it's stolen, it can't be used. Health systems can also separate data from the identifying information, such as names and addresses.

"We're trying our best to prevent big outbreaks or problems by spotting things early and taking preventive care," he said.

Binghui Huang can be reached at 317-385-1595 or Bhuang@gannett.com

This article originally appeared on Indianapolis Star: Indiana systems falling prey to increasing hacks into medical records