Healthcare industry continues to be top target for cybercriminals

In today's digital world, criminal activity is a constant threat. Cybercriminals only need to gather a few minor details to hack email or company accounts. If successful, they can use this information to break into bank accounts, impersonate employees, and sell both commercial and personal data.

There are ways to protect a company’s digital presence, but hackers evolve new ways to break through these measures. While hacking personal platforms is common, cyber criminals reap greater rewards by targeting large organizations with high financial value or ones that store masses of personal data. For the latter, there is one industry that hackers target the most often — healthcare.

Why is healthcare a major target for cybercriminals?

Historically, the healthcare industry has faced some of the most severe cyber-attacks. Because they handle vast amounts of sensitive patient data, they're a top target.

Hackers often gain sensitive information by hacking into electronic medical record (EMR) systems, which store patient information and make up 8% of all hacking breaches. The problem lies in how multiple healthcare facilities use the same EMR vendors. If someone can successfully hack one system, they're not just obtaining one facility's records, but several.

The healthcare industry is a thinly-stretched, around-the-clock sector requiring an army of professionals to keep it running. With so much time and resources dedicated to patient care and a reluctance to disturb daily working practices, updating software and technologies is often pushed down the priority list. Of course, this leaves the healthcare industry trailing behind security trends, making it an easier target.

The number of breaches shot up at the start of the pandemic when the healthcare industry shifted its focus elsewhere. Breach cases reached a record high of 393 in the second half of 2020. While that figure fell to 324 breaches in the first half of 2022, the number is still much higher than before the COVID-19 pandemic. Things might be looking better than they were two years ago, but it’s still essential for healthcare to implement more robust security defenses.

The biggest medical breaches

There have been many medical data breaches over the years, with the most significant falling to Anthem Inc. Now recognized as Elevance Health, a major phishing attack hit the health insurance provider in 2015. During the intrusion, hackers obtained a range of customer details, including:

  • Names
  • Dates of birth
  • Home addresses
  • Social security numbers
  • Employment information
  • Income
  • Personal email addresses
  • Anthem health ID numbers

The data breach affected 78.8 million people, and the financial impact of the cyber attack on Anthem was disastrous:

  • $2.5 million in consultation costs
  • $115 million for improved security
  • $31 million to notify the public and those affected
  • $112 million credit protection for affected individuals

Anthem incurred a total financial loss of $260 million, more than any other US healthcare company.

Who are the primary victims of healthcare-based cyber attacks?

Interestingly, the pattern of cyber attacks in healthcare has seen a shift. Instead of putting hacking efforts into large healthcare facilities, criminals are looking to smaller organizations with the assumption of weaker defenses.

The Eye Care Leaders specialize in providing ophthalmology-specific EMR systems to more than 9,000 physicians across the country. The company experienced a mega-breach in December 2021, which exposed more than 2 million records. Shields Health Care Group, an imaging provider, faced similar numbers in March 2022. While it is understood the breach was handled quickly and efficiently, the impact could have affected 56 facilities.

When discussing who the primary cyber attack healthcare victims are, it’s helpful to consider the three main categories within the industry:

  • Healthcare providers
  • Healthcare plans
  • Business associates

Out of the three entities, healthcare providers make up the most significant number of breaches year-on-year. Healthcare plans have historically followed closely behind but were surpassed in early 2022 by business associates, which includes EMR providers. With the number of breaches faced by business associates rising from 10.3% in 2019 to 14.5% in 2022, they are now the second-most breached entity.

However, it’s not just down to the number of breaches each entity faces, but the individuals affected per case. Healthcare providers experience more cyber security breaches, affecting an estimated 59,000 records every time. Business associates don’t experience as many breaches, but each breach affects 97,000 records. Ultimately, while smaller healthcare facilities are the primary target for cyber attacks in healthcare, many individuals whose details are breached are viewed as the primary victims.

Which state faces the most cyber attacks?

According to the most recently published FBI Internet Crime Report, the US faced an uncommonly high increase in criminal cyber activity in 2021. The Internet Crime Complain Center (IC3) received 847,376 complaints of cyber-related criminal activity — a total financial loss of $6.9 billion. Over 51,000 of those complaints were related to personal data breaches.

Interestingly, some US states face more attacks year-on-year than others. However, although a state has a higher number of personal victims, that doesn't always equate to overall financial loss.

In 2021, California had more victims than any other state, ending with 67,095 complaints. That number is significantly higher than other states, so it makes sense for the financial loss to be as such ($1.2 billion).

Florida came in second place for the total number of 2021 victims. However, while Texas and New York had fewer victims, they surpassed Florida in terms of the total financial loss per state.

StateTotal victims (2021)Financial loss (2021)
California67,095$1,227,989,139
Florida 45,855 $528,573,929
Texas 41,148 $606,179,646
New York 29,065 $559,965,598
Illinois 17,999 $184,860,704
Nevada 17,706 $83,712,410
Ohio 17,510 $133,666,156
Pennysylvania 17,262 $206,982,032
Washington 13,903 $157,454,331
New Jersey 12,817 $203,510,341

How to prevent cyber attacks in healthcare

All entities within the healthcare industry must consistently keep up with and implement measures to prevent a medical data breach.

As well as having a responsibility to provide physical patient care, the healthcare industry is legally required to protect its patient and organizational data from potential cyber-attacks under the US Health Insurance Portability and Accountability Act (HIPAA). This act is regulated by the Department of Health and Human Services (HHS) and applies to any facility that handles protected health information (PHI).

HIPAA guidelines for healthcare professionals require every facility to implement effective and up-to-date technologies that can effectively secure patient data and avoid an attempted medical breach.

RudderStack is a customer data platform with a focus on privacy and security to provide clients with robust data pipelines to collect and leverage their data with complete control.

The business earned HIPAA-compliant status in 2022 and is recognized for using advanced technologies to protect data from criminal activity. Since becoming HIPAA compliant, RudderStack has helped healthcare companies like Accrux protect their patient data with modern and effective customer data security tools.

The Data Maturity Guide

Learn how to build on your existing tools and take the next step on your journey.

Build a data pipeline in less than 5 minutes

Create an account

See RudderStack in action

Get a personalized demo

Collaborate with our community of data engineers

Join Slack Community