Article

US healthcare data breaches: why do hackers want patient data?

F-Secure
F-Secure
|
Jul 11, 2024
|
7 min read

With more than 300 data breaches already reported in 2024, the US health­care industry continues to face significant cyber security vulnerabilities that threaten the sensitive information of patients.

In April, US healthcare giant Kaiser Foundation Health Plan, Inc. suffered a data breach that affected 13.4 million patients, making it one of the biggest health­care data breaches of all time. However, cyber threats like this in the US healthcare industry aren’t a new phenomenon — in 2021–2023, the industry experienced more than 700 data breaches annually. In January 2023, health­care benefits management company NationsBenefits reported a breach due to a vulnerability in their file transfer software which impacted more than 3 million individuals. The hackers subsequently requested a ransom to keep the stolen data private.

Through the sheer number of data breaches hitting the health­care industry, it’s clear that patient data is a valuable commodity. But why is it so sought after — and what do hackers do with stolen patient data?

Unsure if your data has been exposed?

Use our instant F-Secure Identity Theft Checker

What data is compromised in a data breach?

Healthcare breaches often involve the theft of sensitive patient data, including:

  • Personal identification details (names, addresses and social security numbers)

  • Medical records (diagnoses and treatment histories)

  • Financial information (insurance details and payment information)

For instance, the Kaiser Foundation breach compromised patient names, addresses, and email addresses. Similarly, the Harvard Pilgrim Health Care breach exposed the personal information of 2.5 million individuals, including health insurance information and social security numbers.

In some cases, electronic health records (EHRs) are also compromised, as seen in the Tricare data breach back in 2011. The breach involved backup tapes used in the military health system which contained personal health data like clinical notes, prescriptions and medical test results, as well as patients' social security numbers, phone numbers, and addresses.

Cyber criminals typically aim for financial gain. They may sell stolen data on the dark web or use it for identity theft and other fraudulent activities. In some cases, they demand ransom from health­care providers and threaten to release sensitive data publicly if demands are not met.

Possible consequences of US healthcare data breaches

The healthcare industry’s increasing digitization makes it a lucrative target for cyber criminals — with significant consequences for patients across the country. These breaches affect a wide range of health services, including pharmacies, medical transcription services, and health­care technology providers. Consequences of health­care breaches include:

1. Personal financial losses

Victims of data breaches can suffer significant financial losses due to identity theft. These can include:

  • Unauthorized charges on credit cards

  • Loans or credit accounts opened in their names

  • Medical identity theft, where criminals use stolen health­care records to receive medical care, leaving victims with substantial medical bills

For example, victims of the Cencora and Nations­Benefits breaches may face such issues, as compromised data included social security numbers and other sensitive personal information.

2. Personal responsibility

Individuals affected by data breaches may have to take proactive steps to protect them­selves, such as:

  • Monitoring credit reports and financial statements for suspicious activity

  • Placing fraud alerts or credit freezes on their accounts

  • Changing passwords and securing online accounts

Securing your protected health information (PHI) is crucial to prevent unauthorized access and misuse. In the wake of breaches like those at Cerebral and Nations­Benefits, affected individuals have been offered credit monitoring and identity theft protection services.

3. Reoccurring misuse

Stolen data can be repeatedly exploited, leading to ongoing issues such as:

  • Identity theft and fraud

  • Unsolicited marketing and phishing attacks

  • Unauthorized medical services billed to insurance

Data from the Enzo Biochem breach, for example, included clinical test information and social security numbers which can be used for long-term fraudulent activities. Consequently, health systems must continuously address these challenges to protect patient data from repeated exploitation, such as by facilitating compliance with the Health Insurance Portability and Accountability Act (HIPAA).

4. Psychological impact

Victims of data breaches may also experience stress and anxiety related to the potential misuse of their personal information. The uncertainty and potential financial repercussions can have lasting effects on individuals’ mental well­being.

5 practical tips to protect yourself from data breaches

  1. Monitor your information. Regularly check your credit reports and financial statements for unusual activities. Utilize services that alert you to potential breaches involving your personal data, such as the free F-Secure Identity Theft Checker.

  2. Use strong and unique pass­words. Avoid reusing pass­words across multiple sites and create strong and unique passwords for each online account. Use a password manager to securely store all of your pass­words, so you don’t need to remember each one.

  3. Enable multi-factor authentication. Enhance your account security and add an extra layer of protection by enabling two-factor authentication (2FA) or multi-factor authentication wherever possible.

  4. Keep informed. Check out our News­room to stay in the know about recent breaches and cyber security threats. Awareness is a crucial step in protecting your information.

  5. Inform your bank if data is exposed. If you discover that any insurance, banking, debit or credit card information has been exposed in a data breach, contact your bank and/or insurance company right away and follow their instructions. This may mean cancelling your cards or placing a fraud alert on your account.

How can healthcare providers improve security?

Protecting sensitive patient data requires vigilance from both individuals and health­care providers — that’s why the Department of Health and Human Services (HHS) provides guidance and support to help health­care providers enhance their cyber security measures.

Healthcare organizations can mitigate the risk of breaches by:

  • Regularly updating and patching software and systems to fix vulnerabilities

  • Conducting frequent security audits and risk assessments

  • Training staff on cyber security best practices and phishing awareness

  • Implementing robust access controls to limit who can view sensitive information

US healthcare sector data breach incidents in recent years

Following a data breach, health­care organizations must comply with the HIPAA breach notification rule, which mandates reporting breaches to the Office for Civil Rights and notifying affected individuals. There have been thousands of reported breaches over the last decade, including:

  • Kaiser Foundation Health Plan: A monumental 13.4 million people could be affected following a data breach of Kaiser’s web­sites and mobile applications, which “may have transmitted personal information to third-party vendors” such as Google, Microsoft, and X.

  • Cencora: Formerly Amerisource­Bergen, Cencora reported a breach affecting millions of patients due to unauthorized access to their systems. This incident is considered one of the largest health­care data breaches in recent years.

  • Harvard Pilgrim Health Care: Over 2.5 million individuals had their personal and health information exposed following a ransomware attack.

  • Cerebral: The mental health platform notified over 3.1 million users of a breach involving tracking pixels that disclosed sensitive health information.

  • NationsBenefits Holdings: A vulnerability in Fortra’s Go­Anywhere software led to a breach impacting over 3 million individuals.

  • Enzo Biochem: A ransomware attack exposed clinical test information of 2.47 million individuals.

  • Heritage Provider Network: A breach at multiple medical groups in the Heritage Provider Network, including Greater Covina Medical Group, Regal Medical Group, ADOC Medical Group and Lakeside Medical Organization, exposed sensitive patient data including names, social security numbers, and treatment information.

Keep your personal data private

Avoid online identity theft and secure your personal data with real-time data breach monitoring, breach alerts, and identity theft help. Make signing into your accounts easier and safer with the help of Total’s pass­word manager and browse the internet privately with a secure VPN.

Try F-Secure Total for free