Criminal Healthcare Cyberattacks on the Rise

Healthcare data breaches have occurred more frequently over the past few years.1 With the cyberattacks over the last year on Premera Blue Cross, Community Health Systems, Anthem Inc., and CareFirst, millions of Americans have had their information potentially exposed to hackers.2 Not only have the cyberattacks occurred more frequently, but the number of patients exposed has also grown exponentially.3 In January 2015 alone, two different healthcare cyber security breaches were discovered, affecting more than 90 million Americans, compared to only two million affected individuals in the entirety of 2012.4 Even more troubling, the number of criminally motivated breaches, in contrast to employee negligence breaches, has risen to its highest level yet, and now accounts for 45% of all healthcare data breaches.5 These criminal attacks are most commonly committed by nation-state actors, malicious insiders, and thieves who physically steal information.6 In a 2015 study conducted by the security firm Ponemon Institute, 90% of the nearly 200 business associates and healthcare organizations surveyed experienced at least one data breach, and 40% of those surveyed experienced more than five breaches in the past two years.7

Healthcare data breaches have increased exponentially over the past few years, likely due to the extremely valuable information that healthcare entities possess, including names, social security numbers, credit card information, birthdays, addresses, and various medical data points.8 This information can be used to steal an individual’s identity to commit fraud or any number of other malicious acts.  Many attacks have not resulted in the collection of social security numbers or credit card information, but have resulted in the collection of other personal information.9 However, in the largest healthcare cyber security breach to date, which affected approximately 80 million Anthem, Inc. customers, hackers accessed the customers’ personal information, including social security numbers and employment information.10 Fortunately for Anthem customers, to date, no identity theft has been discovered from the breach, so there has not yet been a violation of the Health Insurance Portability and Accountability Act (HIPAA).11

In August 2013, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights Director Leon Rodriguez reported that the majority of data breaches occur because companies have failed to perform an adequate risk assessment and apply the findings to their current practices in order to strengthen those practices.12 However, likely due in part to the increasing number of data breaches, healthcare entities have begun improving their security systems and developing stronger monitoring programs to check for weaknesses in their systems and respond to breaches more quickly.13 In 2013, 69% of healthcare organizations reported that they had some kind of security plan for data breaches, which was 7% higher than in 2012, and 27% of organizations reported that they were developing a plan.14 But indications suggest that these improvements may not be occurring fast enough or functioning effectively enough. The 2015 Ponemon Institute’s study found that approximately 58% of healthcare organizations believed their policies and procedures were effective at preventing data theft, but only 49% have the technology to effectively prevent the breaches, and 33% believe they have enough resources to prevent and detect breaches.15 Without adequate resources and functioning technology, the personal information of patients may still be at risk
of cyberattack.

In 2013, HHS implemented its HIPAA Final Omnibus Rule, which clarifies the conditions under which entities must report patient data breaches, and fines the companies up to $1.5 million per violation, depending on their level of negligence.16 According to Director Rodriguez, this rule is expected to increase the number of HIPAA breach cases that result in fines.17 However, by introducing stronger penalties for failure to safeguard patient information, the Omnibus rule may positively affect patients by encouraging healthcare organizations to better protect patient information from cyberattack.

The upward trend in healthcare data breaches is not likely to slow down going forward, considering the technology and information available to hackers. Consequently, healthcare organizations may have an even stronger motivation than before to develop effective security policies and procedures to protect patient information. The significant breach of Anthem’s database, which affected 80 million individuals, caused a “wake up call” for consumers who are beginning to show a greater concern for the safekeeping of their personal information.18 This heightened public awareness of the data breaches, coupled with the HIPAA Omnibus rule, may fuel the efforts of companies to protect the personal information of their consumers and monitor their privacy systems for problems.19


“HIPAA Data Breaches Climb 138 Percent” By Erin McCann, Healthcare IT News, February 6, 2014, http://www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percent (Accessed 6/3/15).

“Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst” By Matthew Goldstein and Reed Abelson, The New York Times, May 20, 2015, http://www.nytimes.com/2015/05/21/business/carefirst-discloses-data-breach-up-to-1-1-million-customers-affected.html?_r=0 (Accessed 6/3/15); “Health Care Data Breaches Have Hit 30M Patients and Counting” By Jason Millman, The Washington Post, August 19, 2014, http://www.washingtonpost.com/blogs/wonkblog/wp/2014/08/19/health-care-data-breaches-have-hit-30m-patients-and-counting/ (Accessed 6/3/15).

“Slideshow: Biggest Health Data Breaches” By Erin McCann, Healthcare IT News, March 17, 2015, http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=11 (Accessed 6/3/15).

“Massive Breach at Health Care Company Anthem, Inc.” By Elizabeth Weise, USA Today, February 5, 2015, http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/ (Accessed 6/3/15); “Infographic: Biggest Healthcare Data breaches of 2012” By Erin McCann, Healthcare IT News, December 21, 2012, http://www.healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012 (Accessed 6/3/15).

“Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error for the First Time” By Kelly Jackson Higgins, Dark Reading, May 7, 2015, http://www.darkreading.com/attacks-breaches/healthcare-data-breaches-from-cyberattacks-criminals-eclipse-employee-error-for-the-first-time/d/d-id/1320315 (Accessed 6/3/15).

Ibid.

“Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” Ponemon Institute, May 2015, http://lpa.idexpertscorp.com/acton/attachment/6200/f-037a/1/-/-/-/-/Fifth
%20Annual%20Privacy%20and%20Security%20of%20Healthcare%20Data%20Report.pdf?cm_mmc=Act-On%20Software-_-email-_-Thank%20you%20for%20downloading%20the%20Fifth%20Annual%20Benchmark%20Study%20on%20Privacy%20and%20Security%20of%20Healthcare%20Data-_-Click%20here%20to%20download%20the%20report.&sid=232CUrdKz (Accessed 6/3/15), p. 1.

“Health Care Data Breaches Have Hit 30M Patients and Counting” By Jason Millman, The Washington Post, August 19, 2014, http://www.washingtonpost.com/blogs/wonkblog/wp/2014/08/19/health-care-data-breaches-have-hit-30m-patients-and-counting/ (Accessed 6/3/15).

Goldstein and Abelson, May 20, 2015.

“Massive Breach at Health Care Company Anthem, Inc.” By Elizabeth Weise, USA Today, February 5, 2015, http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/ (Accessed 6/3/15).

Ibid.

McCann, “HIPAA Data Breaches Climb 138 Percent,” February 6, 2014.

Millman, August 19, 2014.

Ibid.

Ponemon Institute, May 2015, p. 3.

“New Rule Protects Patient Privacy, Secures Health Information” HHS, January 17, 2013, http://www.hhs.gov/news/press/2013pres/01/20130117b.html (Accessed 6/3/15); “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the GINA; Other Modifications to the HIPAA Rules” 78 Federal Register Vol. 78 No. 17 (January 25, 1013), p. 5565-5702.

McCann, “HIPAA Data Breaches Climb 138 Percent,” February 6, 2014.

Millman, August 19, 2014.

Ibid.

Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner