Health Care Cybersecurity Data Breaches on the Rise

June 21, 2023

May was one of the worst-ever months for health care data breaches, highlighting the need for hospitals and other critical infrastructure organizations to be on high alert.

A recent summary from The HIPAA Journal pointed to a 44 percent increase in reported health care data breaches month-over-month. During May, there were 75 incidents that involved more than 500 records each, the publication reported.

“More (health care) records have been breached in the first five months of 2023 (36,437,539 records) than in all of 2020,” the report notes.

Here’s what you need to know:

• Top trends:  The large majority of breaches (81%) during May involved hacking/IT incidents, The HIPAA Journal reported.
• Worldwide warnings:  Last week, the federal government was hit by a global cyberattack exploiting a software vulnerability in a common managed file transfer solution.
  • A global coalition of cybersecurity organizations also issued a joint advisory about LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) during 2022 and 2023. LockBit has attacked organizations of various sizes across a wide array of critical infrastructure sectors.
• By the numbers:  During May, the average data breach involved more than 310,000 records, and the median breach size was above 3,800 records, the journal reported.
• Server concerns:  Many of these breaches involved health information on network servers.
• Quotable:  “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur,” said Eric Goldstein, Cybersecurity and Infrastructure Security Agency executive assistant director for cybersecurity.

On Friday, the federal government issued an advisory about the TimisoaraHackerTeam (THT), an obscure group that recently attacked a U.S. cancer center. The group appears to be interested in targeting health care and public health (HPH) sector organizations, encrypting files and requiring ransom to allegedly recover them.

“Even among hackers, there is often a code of conduct not to attack hospitals or other HPH organizations that could cause physical harm," the advisory noted. "However, in their purposeful targeting of the healthcare sector, groups like THT abstain from that moral code."

HAP continues to monitor the latest cybersecurity developments and will provide updates to members. For more information about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.

Additionally, John Riggi, the American Hospital Association's (AHA) senior advisor for cybersecurity and risk, is able to assist AHA members with expertise and resources about health care cybersecurity.