More than 40 million people leaked health information this year
More than 40 million people in the United States had their personal health information exposed in data breaches this year, a significant jump from 2020 and a continuation of the trend toward more and more hacking and leaking of health data.
Health organizations must report any health data breach affecting 500 or more people to the Department of Health and Human Services Office for Civil Rights, making the breaches public. So far this year, the office has received reports of 578 violations, according to its database. That's less than the 599 violations reported in 2020, but last year's breaches only affected about 26 million people.
Since 2015, hackers or other IT incidents have been the main reason people expose their health records, according to a report by security company Bitglass. Previously, lost or stolen devices generated the most data breaches. The transition coincided with federal rules in the US requiring healthcare organizations to use electronic medical records and the broader shift towards digital tools like internet-connected monitors in healthcare. Medical records are valuable on the black market - they contain information that is more difficult to change than a credit card and can be used to make false medical claims or buy medicine.
There are a few ways these types of breaches can harm patients: People can have private information exposed and may have to deal with the financial repercussions of their medical identity theft. In addition, hacks and attacks on healthcare institutions that shut down hospital computer systems can make it difficult for them to provide quality care, which can be detrimental to the people treated there. Finally, research shows that more people die in hospitals due to data breaches, even those that do not cause the computer system to shut down.
Many healthcare organizations have not prioritized investing in cybersecurity, even as the risk of cyber attacks continues to rise. The most significant breach in 2021, for example, was a cyberattack on the Florida Healthy Kids Corporation health plan, which exposed the information of 3.5 million people. In addition, a post-attack analysis found that the plan's website had "significant vulnerabilities," according to Health News Florida.
However, experts say that spikes in attacks during 2020 and 2021, particularly in ransomware attacks, are pushing organizations to take the threat more seriously.