Threat actors have compromised sensitive health data on tens of millions of US patients so far this year, according to new figures released by the Department of Health and Human Services (HHS).
The HHS said that there had been a 239% increase in “large breaches” reported to its Office for Civil Rights (OCR) in the past four years and a 278% increase in ransomware.
The same trends can be observed in 2023 alone, with large breaches impacting over 88 million individuals, a 60% year-on-year (YoY) increase. The HHS said hacking accounts for 77% of these reported breaches.
It’s unclear from the statement how many breaches stemmed from ransomware incidents this year, although it would appear to be a key driver.
“Ransomware attacks are increasingly common and targeting the healthcare system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR director, Melanie Fontes Rainer.
“In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
A Sophos report published earlier this week revealed that 60% of surveyed healthcare organizations (HCOs) suffered a ransomware breach over the past year, versus 66% in 2022. However, data was successfully encrypted in 75% of these incidents, with HCOs able to disrupt an attack before this stage in the kill chain in just a quarter of cases, down from 34% in 2022.
Jan Lovmand, CTO of BullWall, argued that ransomware attacks in the sector have become a serious threat to health and safety.
“These attacks not only disrupt the delivery of essential medical services, postponing critical surgeries and treatments and putting patients’ lives at risk, but also compromise the security of sensitive patient information,” he added.
“Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. This is compounded by their limited resources to invest in cybersecurity measures.”