Doctors’ offices and hospitals are supposed to be safe places where we can go to get help while we are sick. We trust them with all our private and sensitive information.
The healthcare industry holds a lot of our individual health information, and sadly that makes it a prime target for theft via data breaches. New statistics show a worrying trend: over 25% of Americans have had their health data exposed in security breaches, affecting an alarming 87 million patients. What’s even more troubling? In the first half of 2023, a staggering 77% of these breaches happened by attacking network servers.
Health care industries are amongst the most vulnerable because of the lucrative information that is being disclosed. In healthcare data breaches, the financial risks are high for healthcare agencies. The theft of a single record costs healthcare agencies a staggering $355 on average, much more than the $158 average for non-healthcare agencies.
But what motivates these cyberattacks? Hackers are after our Protected Health Information (PHI) – which is anything that can identify a patient such as their name, address, or medical records. PHI carries a high value on the black market, selling for as much as $363 per record. Its long shelf life and potential for identity theft make it an attractive target for criminals.
With PHI, criminals can create fake insurance claims, purchase and resell medical equipment, or even gain access to prescriptions for their own use or resale. This not only harms individuals but also the healthcare system as a whole.
Healthcare organizations are legally required to provide individual notifications within 60 days of discovering a breach. These notifications must include a description of the breach, the types of information involved, steps affected individuals should take to protect themselves, and details about the entity’s response to the breach.
An IBM security report indicates a large detection gap for data breaches. Only a third of breaches are detected by the breached company’s security measures, 27% are disclosed by the attacker, and 40% are identified by a neutral third party.
These breaches are often orchestrated by hackers, with nearly three-quarters of incidents attributed to unauthorized access. The implications are clear – our healthcare data is under attack, and the consequences are far-reaching.
Adding to the concern is the fact that U.S. healthcare organizations allocate only six percent of their IT budgets to cybersecurity. This could potentially be the reason behind the significant detection gap, according to IBM reports.
Not following requirements can lead to severe legal trouble, like in the case of Athens Orthopedic Clinic. Their data breach showed they didn’t meet the HIPAA rules in many ways, like having proper policies, employee training, and agreements with business associates. As a result, the clinic paid a hefty $1.5 million-dollar settlement for their negligence.
Individuals have rights when it comes to their Protected Health Information. They should be promptly informed about breaches and provided with details on what occurred, what information was compromised, and steps to protect themselves. Transparency and communication are essential components of these rights.
These alarming statistics on healthcare data breaches should serve as a wake-up call for both healthcare organizations and individuals. Instances such as these emphasize the importance of robust cybersecurity measures, strict compliance with legal requirements, and proactive defense strategies. It’s only through a collective effort that we can safeguard our healthcare data and prevent the harm that stems from negligence.
(*) Oscar A. de la Rosa is the founder and lead attorney at De La Rosa Law, a mass tort and data breach litigation law firm headquartered in Miami, FL.