Massive Healthcare Data Breach Demonstrates Need to Implement Cybersecurity Best Practices 

The largest U.S. healthcare provider confirmed last week that a breach of its external data storage system exposed the personal information of at least 11 million patients. The largest data breach of a healthcare provider ever reported, this attack underscores the need for more robust cybersecurity measures to protect sensitive healthcare information. 

Hackers infiltrated an external system HCA Healthcare uses to automatically format emails to patients, exposing protected health information (PHI), including names, addresses, email addresses, phone numbers, dates of birth, gender, and patient service dates. A Nashville-based healthcare provider operating 182 hospitals and over 2,200 care facilities across 20 states, HCA Healthcare revealed the incident after a hacker dumped 1 million records from the company’s San Antonio division on an online forum in what appears to be a failed attempt to extort the company.  

Data breaches and ransomware attacks against the healthcare sector have increased in recent years, particularly since 2018. According to the Department of Health and Human Services (HHS), over 300 data breaches have occurred this year so far, affecting over 41 million people. These figures, however, do not include the HCA Healthcare incident or breaches not disclosed to HHS, so the real total is likely higher. 

Cyberattacks on the healthcare sector harm patients and have severe financial consequences on the provider. A 2022 IBM report found that, on average, it costs healthcare providers $10.1 million to recover from an incident. These breaches often also lead to class-action lawsuits. Ransomware attacks are especially costly, as the majority of healthcare providers pay the ransom but then also have to rebuild and shore up compromised systems. And even if the victim pays, patient PHI has already been compromised and may be sold on the dark web. Stolen PHI is worth more to cybercriminals than credit card information because a victim can more quickly close a credit card than change his medical history. The utility of PHI is also greater since it facilitates identity theft, insurance scams, and other kinds of fraud. Ransomware attacks also degrade patient care not only at the compromised hospital but also at surrounding facilities that have to take on the overflow of patients who cannot be treated due to equipment freezes.  

Despite intensifying cyber threats, many healthcare providers, particularly rural hospitals, rarely update their cybersecurity practices, citing financial constraints as one of the main reasons. HHS currently provides cybersecurity best practices and guidelines, including guidance on phasing out legacy medical devices and patching others. The addition of financial assistance, however, would help monetarily stretched healthcare providers implement cybersecurity best practices to protect their systems and preserve patient care when they otherwise cannot afford to.  

Michael Sugden is a research analyst and editorial associate with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Cole Knie is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.