Ransomware attacks on healthcare organizations have sharply increased in 2024, as shown by recent research from Safety Detectives. Compared to 2023, healthcare providers are facing a higher frequency of ransomware incidents, impacting their ability to deliver essential services and protect sensitive patient data.
Here are the key takeaways from the report.
-
Escalating Frequency and Impact: Healthcare services have become one of the most targeted industries, moving from the fifth most attacked sector in 2023 to third in 2024. As of the first three quarters of 2024, there were already 264 ransomware incidents affecting healthcare providers—nearly matching all of 2023's figures.
-
More Active Ransomware Groups: In 2024, there are 87 active ransomware groups, a marked increase from 68 in 2023. These groups are executing an average of 394 attacks monthly, using increasingly sophisticated and coordinated tactics, including 177 new ransomware variants identified just between April and September.
-
Significant Financial and Operational Costs: Healthcare providers, faced with potential HIPAA fines and the risk of service interruptions, may feel pressured to pay ransom demands. Such was the case with Change Healthcare, which paid a $22 million ransom in March 2024. Attackers are not only encrypting systems but also targeting sensitive data, including Protected Health Information (PHI) and Personally Identifiable Information (PII), such as diagnoses, therapy records, genetic data, and Social Security numbers.
-
Sensitive Data Theft and Exposure: Cybercriminals have reportedly stolen up to 120 TB of data in 2024 from healthcare providers alone. This stolen data is often exposed on both the clear and dark web, heightening risks of identity theft and further perpetuating cybercrime. The average data theft per attack is roughly 450 GB, impacting countless individuals and putting their private health information at risk of exploitation.
-
Critical Disruptions to Healthcare Services: Ransomware attacks disrupt core healthcare operations, hindering access to electronic health records, appointment scheduling, diagnostics, and more. The disruptions not only cause treatment delays but also pose risks to patient safety, especially in emergency scenarios where immediate access to medical information is vital.
From the report: "Samples of the stolen data can be easily found on the clear web, accessible to anyone with internet access. The full troves of stolen data are frequently traded, sold or simply leaked on the clear and dark web, where they could remain available for years after the initial breach. This exposure not only potentially increases risks to individuals whose sensitive information has been compromised but also perpetuates the cycle of cybercrime activity."
"We need to remember, like every industry, there is huge gap between the dozen or so large Fortune 100 health insurance payers, and the 1 million hospitals and doctors offices. The 99% do not have the resources and funding to be able to protect themselves," said Rick Doten, VP, Information Security, Centene Corporation, a publicly traded managed care company based in St. Louis, Missouri. "I've been on panels with large hospital CISOs who said, 'It's not that I don't know what to do, or that I don't have executive leadership buy in; it's that we don't have the money and resources to implement proper controls. We just have to accept the risks and rely on insurance to recover.'"
Doten continued, "So, while all those statistics are accurate, it's like saying, 'Rabbits continue to be attacked by eagles, coyotes, and foxes. Let me tell you why it's an impact to the rabbit community.' Rabbits will never be able to protect themselves—grow armor, claws, or teeth. So, like rabbits, instead of complaining about their lack of ability to defend themselves, we need to look at ways industry and government can provide funding and resources to help protect them."
The report's findings underscore the urgent need for the healthcare sector to bolster its cybersecurity posture. With ransomware tactics growing more advanced and attackers increasingly targeting high-stakes environments like healthcare, the protection of patient data and continuity of care are more at risk than ever. Investments in cybersecurity, comprehensive employee training, and robust data backup systems are essential to mitigating these threats and safeguarding both patient safety and privacy.
The report raises some pertinent issues that we are seeing across the healthcare industry as it struggles to effectively combat that rise in ransomware attacks, according to John Howard, Senior Attorney at Clark Hill Law.
"This increase over the last couple of years, and specifically in the last year, looks to be exponential in nature, with the total number of individuals impacted exceeding 100 million in 2023 and potentially double that in 2024," Howard said. "While it feels like we are all receiving data breach notification letters of one sort or another all the time, and unfortunately getting used to the reality of the frequency of these attacks, when the data involved is someone's personal health information, it causes extra anxiety as this information tends to be considered the most personal."
Howard added, "The increase in these attacks needs to be a wake-up call for all healthcare entities to take the time to seriously review their cybersecurity and risk management programs to take steps to address any potential risks to the data they hold. In healthcare, it is not if an entity is going to be subject to a cyberattack, but rather when. It is every healthcare organization's responsibility to put reasonable measures in place to protect the data they have.
"Not only that, for those regulated by HIPAA, which is most, they have a legal obligation to do so. The federal agency in charge of enforcing HIPAA, the Department of Health and Human Services' Office of Civil Rights (HHS OCR), has also taken notice and has recently stepped up its investigation of breaches resulting from ransomware attacks, and has entered into multiple settlement agreements and issued civil money penalties. HHS OCR has also announced a new risk assessment initiative to push HIPAA covered entities to actually conduct effective risk assessments as part of their risk management programs. Those that don't are not only becoming attractive targets for cybercriminals but for federal regulators, as well."
More directly from the report:
"The exposure of such sensitive data presents substantial risks, impacting both the individuals affected and the healthcare institutions involved. Some of these potential risks are:
Privacy concerns: Exposure of health data can raise significant privacy concerns for individuals. This sensitive information, such as medical history, treatment plans, and personal identifiers, may be accessed by unauthorized parties and potentially misused.
Identity theft: Health-related data often contains personally identifiable information (PII) such as names, addresses, Social Security numbers, and insurance details. If this information falls into the wrong hands during a data breach, it can be used to commit identity theft or fraud.
Psychological impact: The exposure of health-related data in a data breach can have a psychological impact on individuals whose privacy has been violated. The fear and uncertainty surrounding the misuse of their sensitive information can cause stress, anxiety, and emotional distress.
Medical fraud: Cybercriminals may exploit stolen health data to commit medical fraud. For instance, they could obtain healthcare services or prescription drugs under someone else's identity. This not only puts the victim at financial risk but also compromises their medical records.
Reputation damage: Healthcare organizations that experience data breaches involving patient information may suffer significant reputational damage. Patients and stakeholders may lose trust in the organization's ability to safeguard their sensitive data, leading to potential loss of business and credibility.
Legal consequences: Data breaches involving health-related information can result in legal consequences for healthcare organizations. They could incur in regulatory fines and penalties for non-compliance with laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Organizations may also possibly face lawsuits from affected individuals seeking damages for the breach.
Medical errors: In some cases, exposure of health-related data in a breach could lead to medical errors or compromised patient care. If unauthorized parties tamper with medical records or treatment plans, it could result in incorrect diagnoses, inappropriate treatments, or delays in care. This poses a significant risk to patient safety and well-being.
Financial loss: Data breaches in the healthcare sector can also lead to financial losses for both individuals and organizations. Patients may have to pay for identity theft protection services or medical bills resulting from fraudulent activities. Healthcare organizations may face expenses associated with investigating the breach, notifying affected individuals, implementing additional security measures, and potential legal fees.
Long-term consequences: Patients may experience ongoing concerns about the security of their personal data, impacting their trust in the healthcare system. For organizations, the aftermath of a breach may include continued scrutiny from regulators, increased cybersecurity costs, and challenges in rebuilding their reputation.
Loss of trust: Perhaps one of the most significant risks associated with having health-related data exposed in a breach is the loss of trust between patients and healthcare providers. When sensitive information is compromised, patients may question the security practices of the organization holding their data, leading to a breakdown in trust that can be challenging to repair."