As hospitals struggled to combat COVID-19 in 2020, cyber criminals were aggressively going after health care systems across the country. The bad actors were demanding ransomware and threatening to release patient information.
By: Sandra Jones
Originally Published: November 22, 2021
(InvestigateTV) – Imagine if your most private information was publicly exposed or ended up on the dark web. As hospitals struggled to combat COVID-19 in 2020, cyber criminals were aggressively going after health care systems across the country. The bad actors were demanding ransomware and threatening to release patient information.
According to the U.S. Department of Health and Human Services, there were 827 reported health care breaches in 2019, 2020, and the first seven months of 2021.
More than 52 million people had their medical records compromised.
InvestigateTV found that the data showed an increased number of breaches since the pandemic began. From January to August of 2021, 421 healthcare breaches were reported to HHS. That surpassed all of 2020 when 353 were reported. The 2021 numbers were also eight times higher than reported in 2019 when health care systems only reported 53 cases.
While the number of people these breaches affect is huge, finding a victim to talk to for this story proved difficult because they either didn’t know about the breach or filed class action lawsuits with agreements prohibiting them from commenting.
But former hospital administrator Robert Goff who oversaw operations at a health system in the Northeast did speak out. He faced two health care breaches after employees opened suspicious emails forcing the hospital to pay millions to stop ransomware attacks.
“That means, that your operating system, your medical records, are not electronically available as your providing patient care,” Goff said.
Goff said the hospital had the latest technology and security measures in place to prevent a hack, but it still happened, and put patient safety and treatment at risk after shutting down hospital operations.
“Depending upon the hospital and the system, how fast can you get to your back up information and bring it online? It’s generally not instant,” Goff said. “There are some hospitals that indicate that critical care was impeded and there had been some fatalities.”
Goff told InvestigateTV the hospital had no fatalities, but he couldn’t say if patient information ended up in the hands of cybercriminals. But the hospital staff is constantly training and re-educating employees on cyberattacks.
“We do our own phishing attacks on ourselves, and unfortunately if a person, if an employee, has a habit of clicking on everything and does not change with education, we will be forced to terminate them,” Goff said.
Under HIPAA, or the Healthcare Information Portability and Accountability Act, health care organizations are required to report a breach to the Department of Health and Human Services’ Office of Civil Rights, if more than 500 people are impacted.
InvestigateTV’s analysis shows the type of large medical data breaches tracked by the federal government. Out of 827 breaches between 2019 and the first part of 2021, three quarters were categorized as hacking or IT incidents.
The 10 largest data breaches involved a total of nearly 19 million records.
The largest breaches included a corporation which administers government health insurance for kids and a major grocery company that has pharmacies in its stores.
“It’s sad because look who, look at all of the people being victimized,” Goff said.
Lawmakers on Capitol Hill are trying to tackle the problem.
“Right now, it’s just the wild west. There are no rules at all,” said Congressman Michael McCaul, a Republican from Texas.
McCaul co-chairs the congressional cybersecurity caucus he helped to create 15 years ago in hopes of raising awareness of an evolving threat.
“We have to have some rules of the game in international space,” McCaul said.
He envisions setting up an office within the State Department.
“An ambassador that can negotiate with, say, our European partners, our NATO allies, that NATO’s going to stand together,” McCaul said. And if a NATO ally is hit with a destructive, we have to define cyber warfare as well.”
Meanwhile, Virginia Congresswoman Abigail Spanberger, a Democrat, introduced the Better Cybercrimes Metric Act to help law enforcement go after hackers attacking victims nationwide. The bill hasn’t passed.
“Quite frequently, we’ll see the companies or entities will pay whatever sort of, I mean, extortion, demand is made by these criminal groups or criminal entities, and so it doesn’t come to the forefront of discussion. And in fact, sometimes it’s swept under the rug,” Spanberger said.
“The sooner the breach is contained, the lesser the damage will be.”
That is why cybersecurity expert Vahid Bezhadan urges consumers to report any cybercrime and take steps to protect themselves. Some of those steps include changing passwords, getting anti-virus protections, checking for computer updates and reporting any weaknesses in the system.
“You should worry about the compromises any time that you provide or store information about yourself. You should be aware of the risk,” Bezhadan said.
According to the latest data breach report by IBM and the Ponemon Institute, the average data breach in the U.S. cost $9.5 million in 2021. The healthcare industry is paying the most per data breach at $9.23 million.