With more than 300 data breaches already reported in 2024, the US healthcare industry continues to face significant cyber security vulnerabilities that threaten the sensitive information of patients.
In April, US healthcare giant Kaiser Foundation Health Plan, Inc. suffered a data breach that affected 13.4 million patients, making it one of the biggest healthcare data breaches of all time. However, cyber threats like this in the US healthcare industry aren’t a new phenomenon — in 2021–2023, the industry experienced more than 700 data breaches annually. In January 2023, healthcare benefits management company NationsBenefits reported a breach due to a vulnerability in their file transfer software which impacted more than 3 million individuals. The hackers subsequently requested a ransom to keep the stolen data private.
Through the sheer number of data breaches hitting the healthcare industry, it’s clear that patient data is a valuable commodity. But why is it so sought after — and what do hackers do with stolen patient data?
What data is compromised in a data breach?
Healthcare breaches often involve the theft of sensitive patient data, including:
Personal identification details (names, addresses and social security numbers)
Medical records (diagnoses and treatment histories)
Financial information (insurance details and payment information)
For instance, the Kaiser Foundation breach compromised patient names, addresses, and email addresses. Similarly, the Harvard Pilgrim Health Care breach exposed the personal information of 2.5 million individuals, including health insurance information and social security numbers.
In some cases, electronic health records (EHRs) are also compromised, as seen in the Tricare data breach back in 2011. The breach involved backup tapes used in the military health system which contained personal health data like clinical notes, prescriptions and medical test results, as well as patients' social security numbers, phone numbers, and addresses.
Cyber criminals typically aim for financial gain. They may sell stolen data on the dark web or use it for identity theft and other fraudulent activities. In some cases, they demand ransom from healthcare providers and threaten to release sensitive data publicly if demands are not met.
Possible consequences of US healthcare data breaches
The healthcare industry's increasing digitization makes it a lucrative target for cyber criminals — with significant consequences for patients across the country. These breaches affect a wide range of health services, including pharmacies, medical transcription services, and healthcare technology providers. Consequences of healthcare breaches include:
1. Personal financial losses
Victims of data breaches can suffer significant financial losses due to identity theft. These can include:
Unauthorized charges on credit cards
Loans or credit accounts opened in their names
Medical identity theft, where criminals use stolen healthcare records to receive medical care, leaving victims with substantial medical bills
For example, victims of the Cencora and NationsBenefits breaches may face such issues, as compromised data included social security numbers and other sensitive personal information.
2. Personal responsibility
Individuals affected by data breaches may have to take proactive steps to protect themselves, such as:
Monitoring credit reports and financial statements for suspicious activity
Placing fraud alerts or credit freezes on their accounts
Changing passwords and securing online accounts
Securing your protected health information (PHI) is crucial to prevent unauthorized access and misuse. In the wake of breaches like those at Cerebral and NationsBenefits, affected individuals have been offered credit monitoring and identity theft protection services.
3. Reoccurring misuse
Stolen data can be repeatedly exploited, leading to ongoing issues such as:
Identity theft and fraud
Unsolicited marketing and phishing attacks
Unauthorized medical services billed to insurance
Data from the Enzo Biochem breach, for example, included clinical test information and social security numbers which can be used for long-term fraudulent activities. Consequently, health systems must continuously address these challenges to protect patient data from repeated exploitation, such as by facilitating compliance with the Health Insurance Portability and Accountability Act (HIPAA).
4. Psychological impact
Victims of data breaches may also experience stress and anxiety related to the potential misuse of their personal information. The uncertainty and potential financial repercussions can have lasting effects on individuals’ mental wellbeing.
5 practical tips to protect yourself from data breaches
Monitor your information. Regularly check your credit reports and financial statements for unusual activities. Utilize services that alert you to potential breaches involving your personal data, such as the free F-Secure Identity Theft Checker.
Use strong and unique passwords. Avoid reusing passwords across multiple sites and create strong and unique passwords for each online account. Use a password manager to securely store all of your passwords, so you don’t need to remember each one.
Enable multi-factor authentication. Enhance your account security and add an extra layer of protection by enabling two-factor authentication (2FA) or multi-factor authentication wherever possible.
Keep informed. Check out our Newsroom to stay in the know about recent breaches and cyber security threats. Awareness is a crucial step in protecting your information.
Inform your bank if data is exposed. If you discover that any insurance, banking, debit or credit card information has been exposed in a data breach, contact your bank and/or insurance company right away and follow their instructions. This may mean cancelling your cards or placing a fraud alert on your account.
How can healthcare providers improve security?
Protecting sensitive patient data requires vigilance from both individuals and healthcare providers — that’s why the Department of Health and Human Services (HHS) provides guidance and support to help healthcare providers enhance their cyber security measures.
Healthcare organizations can mitigate the risk of breaches by:
Regularly updating and patching software and systems to fix vulnerabilities
Conducting frequent security audits and risk assessments
Training staff on cyber security best practices and phishing awareness
Implementing robust access controls to limit who can view sensitive information
US healthcare sector data breach incidents in recent years
Following a data breach, healthcare organizations must comply with the HIPAA breach notification rule, which mandates reporting breaches to the Office for Civil Rights and notifying affected individuals. There have been thousands of reported breaches over the last decade, including:
Kaiser Foundation Health Plan: A monumental 13.4 million people could be affected following a data breach of Kaiser’s websites and mobile applications, which “may have transmitted personal information to third-party vendors” such as Google, Microsoft, and X.
Cencora: Formerly AmerisourceBergen, Cencora reported a breach affecting millions of patients due to unauthorized access to their systems. This incident is considered one of the largest healthcare data breaches in recent years.
Harvard Pilgrim Health Care: Over 2.5 million individuals had their personal and health information exposed following a ransomware attack.
Cerebral: The mental health platform notified over 3.1 million users of a breach involving tracking pixels that disclosed sensitive health information.
NationsBenefits Holdings: A vulnerability in Fortra’s GoAnywhere software led to a breach impacting over 3 million individuals.
Enzo Biochem: A ransomware attack exposed clinical test information of 2.47 million individuals.
Heritage Provider Network: A breach at multiple medical groups in the Heritage Provider Network, including Greater Covina Medical Group, Regal Medical Group, ADOC Medical Group and Lakeside Medical Organization, exposed sensitive patient data including names, social security numbers, and treatment information.