More than 44 Million Patient Health Records Compromised in 2019 in the US

Data breaches in the healthcare industry are on the rise in the United States, and more people are affected each year. While the number of breaches is rising, the number of affected patient records is soaring, having tripled since 2018.

The healthcare industry doesn’t limit itself to clinics, hospitals and the like, but includes business associates as well, which is an umbrella term for all the people and organizations that deal with protected health information. And that protected information is what hackers want.

Private medical records can sell for up to $1,000 on the dark web, especially when they include details such as real names, Social Security numbers, addresses, and so on. Hackers will either look to compromise this data and hold it for ransom or try to exfiltrate it and sell it on the dark market. Sometimes, criminals do both.

A conservative estimate

Tallying all of data breaches in 2019 is not possible, for a couple of reasons. First of all, not all data breaches are reported to the proper authorities or made public. Secondly, it’s highly likely that some data breaches have yet to be discovered. Whatever the reason, it’s an underestimate to say only 41,404,022 patient records were affected by data breaches in 2019.

All in all, the number of patient records affected tripled in 2019 from 2018, according to the research, which is interesting because the healthcare industry has been trying to better adopt good practices. For now, it’s unclear whether any of this data has hit the dark web, but it’s not unlikely.

Insiders and hackers are to blame

Two vectors need to be considered when it comes to compromised patient records. Insiders are a problem, whether through errors or malice, but most records are lost to hacking incidents.

Insiders are people who work in the industry, and since they have direct access to the data, they could expose it by mistake. In fact, 3.65 million records were exposed just because of human mistakes. By comparison, insider wrongdoing is responsible for 136,566 compromised records.

Hacking is where the healthcare industry is the most vulnerable. The criminals adapt their methods to evolutions in protection and other trends in cybersecurity. Until recently, a ransomware attack would block the activity of a company and data breaches were used to steal data.

Now, these two events can happen at the same time, with some ransomware gangs stealing private data after compromising the network. Making matters worse, some criminals use the stolen data to extort individual users, threatening to publish their photos and medical information.

2019 saw 330 hacking incidents, a clear increase from the 220 registered in 2018 and 176 in 2017. This meant that, in 2019, almost 37 million patient records were breached.

 

And all of these incidents are not all that clear cut because healthcare organizations take a very long time to discover a beach -- an average of 224 days. Pragmatically, this translates into a simple fact. Right now, there are ongoing data breaches, with hackers accessing private information, and nobody knows about it.

There’s no reason to believe the wave of attacks on the healthcare industry will slow down. If anything, the trend shows there will be even more in 2020. Clinics, hospitals, and other players in the health field have to beef up their cybersecurity and better train people directly working with patient data.

The information about compromised patient records were collated by Protenus from the US Department of Health and Human Services (HHS), the media, and other sources.