By Jessica Davis
HCA Healthcare is currently investigating what could be the largest reported healthcare data breach so far this year. A Securities and Exchange Commission filing confirms HCA Health discovered a threat actor posted a trove of patient data on the dark web.
The data, including names, contact details, and service locations and dates, was apparently stolen from an external server used exclusively to automate email messages. While the list of data contains appointment-related information and education on health programs, HCA has confirmed no clinical data was taken.
Estimates put the total number of impacted patients at 11 million, a record-breaking number not seen in healthcare since 2019.
However, it was just last month that MCNA Dental reported the largest incident in the last four years with 8.86 million affected individuals in yet another systems hack. The month before that, PharMerica was first to break the previous record with 5.82 million exfiltrated records ahead of a cyberattack.
The 10 largest healthcare data breaches reported this year already involve well over 1 million patients each. In total, these 10 incidents alone a whopping 42.5 million patients and don’t include the other 328 data breaches reported to the Department of Health and Human Services this year.
The staggering numbers reflect another concerning trend in healthcare: a steep rise in network outages brought on by cyberattacks, with at least two dozen health systems and other healthcare entities brought into downtime procedures – some facing outages for well over a month.
In contrast, just one or two of the largest reported incidents in healthcare for each year between 2016 and 2020 affected more than 1 million patients. Meanwhile, the leading incidents in 2023, so far, are also significantly higher than the totals reported each year during this five-year period.
The one outlier was 2019, where the overall breach tally was highly skewed by a single incident: the systems’ hack of American Medical Collection Agency (AMCA) that impacted at least 25 million patients.
While patient safety should be the driving factor for cyber investments and properly assessing risk in healthcare, data breaches are also important for context as the data provides clear insights into the impact that even one unsecured port can have on an organization when found and exploited by a threat actor.
At least three case studies confirm the patient safety impacts brought on by cyber-induced outages, and there are also first-hand accounts from providers and patients detailing the impacts and concerns over provided care during network outages.
Data breaches provide a tangible pulse of the current state of the healthcare threat landscape. And for 2023, the data paints a troubling picture.
These are the largest incidents reported by singular entities in 2023, so far:
1) HCA Health (11M) (July)
2) MCNA Dental (8.86M) (June)
3) PharMerica: 5.82M individuals (May)
4) Regal Medical Group (3.3M)
5) Cerebral (3.18M)
6) NationsBenefits (3.04M)
7) Harvard Pilgrim Health Care (2.55M)
8) Enzo Clinical Labs (2.47M)
9) Pension Benefit Information (1.21M)
10) Tampa General Hospital (1.2M)
Here’s how 2023 stands out against data from the previous seven years:
2016: Total – N/A; Largest – Banner Health, 3.7M impacted; Notes – Two largest incidents totaled 7M with just two data breaches affecting more than 1M patients
2017: Total – Well over 12.5M; Largest – Molina Health, 4.8M patients; and notes – Only two incidents impacted over 1 million individuals
2018: Total — 6.98M patient records; Largest – Atrium Health, 2.65M individuals affected; and notes – just two incidents with more than 1 million affected patients
2019: Total – 41.1M impacted patients, driven by AMCA incident; Largest – AMCA, with at least 25M impacted patients; Notes – just three incidents with more than 1 million impacted patient records
2020: Total — 14.93M; Largest — Blackbaud, with more than 10M affected patients; Notes — just two incidents impacted more than 1M
2021: Total — 22.6M patients; Largest – Accellion, with 3.51M impacted patients; Notes – all top 10 data breaches impacted more than 1M patients
2022: Total — 22.73M individuals; Largest – OneTouchPoint with 4.11M compromised records; Notes – all top 10 incidents affect more than 1M patients each
In context: What’s driving the rise?
It’s important to note that the impact of cyberattacks in 2016 cannot be calculated in the scope of data breaches: it marked the first time threat actors began preying on healthcare in force.
Financially motivated, the attackers understood the reality that if you shut down a health network and asked for a “reasonable” ransom, there was a high probability of a hefty payout because providers needed access to invaluable patient records and life-saving technology. These disruptive attacks crippled the targeted hospitals, as most were unprepared for long periods of network downtime.
The spate of cyberattacks in 2016 demonstrated for the first time in healthcare just how lax cybersecurity can drastically impact care delivery and patient safety. Prior to 2016, compliance with HIPAA and other regulations was subpar, as was awareness around the importance of bolstering cyber hygiene across the healthcare enterprise.
And for the most part, providers’ cyber efforts concentrated around HIPAA compliance and performing the bare minimum to avoid a fine from HHS. It was in 2016 that providers had a rude awakening: compliance does not equal cybersecurity – it requires a strategic, stringent overhaul to keep patients safe.
It would, however, take several years for the message to come home to roost. But it’s no longer an awareness problem in healthcare. The primary challenge is resources from a workforce and budgetary perspective, combined with a rapidly expanding device inventory and targeting by nefarious actors.
As seen with the HCA Healthcare data exfiltration and subsequent data leak, the data theft was caused by the hack of an overlooked, unsecured port and not poor cybersecurity. The incident reflects a shift in tactics by threat actors.
The Clop ransomware group, for example, has been hacking systems and stealing available data without deploying the ransomware payload. The shift began as the MOVEit vulnerability began making headlines. While past attempts saw groups breaking into a network and moving laterally across the network to steal available data before deploying ransomware, Clop has simply opted to move to the extortion phase for this particular flaw.
The approach is vastly different than Clop’s targeting of the Fortra GoAnywhere vulnerability reported earlier this year. These unsecured ports have compromised hundreds of companies, including those in healthcare. The tactic of exploiting unpatched vulnerabilities is not new, as security gaps have been a key entry point for attackers in recent years, particularly for ransomware groups.
What’s become increasingly clear is that healthcare network defenders must act quickly to address their risk posture, ongoing threats, and ensure their incident response plans are up to date and well-practiced. The data confirms that while the sector waits for policy and congressional actions to address systemic challenges, the threat actors are still moving at full speed.