Cybersecurity Breaches in Healthcare: A Year of Alarming Data Compromises
In February 2024, Change Healthcare publicly disclosed a significant cybersecurity breach, marking it as the largest healthcare data breach reported to federal regulators. Initially, the extent of this breach was not fully recognized, but it soon became clear that the ramifications would be extensive, affecting around 190 million individuals. The breach, characterized as a ransomware attack, was attributed to the BlackCat/ALPHV group. The scathing impact prompted Change Healthcare to disconnect over 100 services for nearly a month while they addressed the fallout. Although it was rumored that a ransom was paid—reportedly around 350 bitcoins, approximately $22 million—the organization has confirmed that it restored operations without concrete evidence of misuse of the compromised data.
Change Healthcare’s incident is not an isolated case; the healthcare sector faced multiple high-profile breaches in 2024. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights is currently investigating 869 reported healthcare data breaches from the past 24 months. While the number of victims across these breaches varies, some have extended their impact to millions of patients, showcasing a growing trend in the vulnerability of protected health information (PHI).
An incident involving Kaiser Foundation Health Plan exemplifies the challenge in safeguarding sensitive data: an accidental data sharing incident impacted approximately 13.4 million individuals. This breach arose from misconfigurations that led to unintended exposure of information, including member names and browsing activities, which, although less sensitive than PHI, still posed risks for targeted marketing abuse. The breadth of the Kaiser incident highlights the importance of stringent data handling practices, even in non-malicious cases.
Ascension Health’s breach, classified as an accidental download of a corrupted file, exposed about 5.6 million individuals. It took the organization six weeks to completely address the incident, which stemmed from an employee’s mistake. During this time, access to vital systems, including electronic health records, was significantly hampered. The breach increased concerns about insider threats and the need for comprehensive alert systems to monitor employee activities.
HealthEquity experienced unauthorized access to its systems in March, which affected around 4.3 million members. This incident resulted from a third-party user account being compromised. Despite the lack of immediate service disruption, it raised alarms about the potential for chronic vulnerabilities that could be exploited if left unaddressed. Internal investigations revealed that accessed information included names, Social Security numbers, and health insurance details.
The Acadian Ambulance Service faced a ransomware attack attributed to the Daixin Team, impacting approximately 2.9 million patients. This attack has not only raised concerns over the integrity of internal security measures but also illustrated the continuous evolution of tactics employed by cybercriminals, demanding a ransom of $7 million. As with many attacks, Acadian’s case underscores the importance of implementing robust cybersecurity frameworks to mitigate future threats.
Analyzing these breaches using the MITRE ATT&CK framework reveals several potential tactics that adversaries utilized. Initial access could have been achieved through exploiting vulnerabilities in systems or social engineering attacks aimed at employees. Persistence and privilege escalation techniques may have allowed attackers to maintain access over time, posing long-term risks to sensitive data storage. In many cases, organizations failed to catch these breaches due to inadequate monitoring and lack of comprehensive system reviews.
The growing number of healthcare-related cybersecurity breaches underscores the pressing need for robust data protection measures. As healthcare systems deal with sensitive patient information, the repercussions of compromised data can be severe, affecting trust and service delivery. For organizations in healthcare and adjacent sectors, understanding the vulnerabilities exploited by cybercriminals can inform strategies to bolster cybersecurity defenses and better protect patient data.
As the landscape of cyber threats continues to evolve, the essence of proactive engagement and rigorous security assessments cannot be overstated. The experiences from these high-profile breaches serve as critical learning points for organizations aiming to fortify their defenses against an increasingly sophisticated array of cyber adversaries.
