The High Value of Healthcare Data Breaches: Understanding How They Occur & Preventative Measures

By Daniel Wingfield, 360 Privacy Data Protection Analyst

In an ever-growing digital world, the convenience and efficiency of data and record keeping through digital means have streamlined countless processes across every industry. While the positive impacts of these practices are clear, an aspect that is often an afterthought to many, is the risk of data breaches, presenting the potential exposure of valuable personally identifiable information (PII). One major area of concern for data breaches is the healthcare industry. Digital systems within the healthcare industry store vast records of highly sensitive PII such as medical records, insurance information, and social security numbers. If exposed by a threat actor, this information can be sold on the black market and used for illicit activities such as identity theft and fraud. Due to the criticality of the protection of such sensitive information, it is crucial to highlight how and why these breaches happen, the impact these breaches have on executives, companies, and consumers, and best practices to ensure the safety of data within the healthcare sector.

How do Data Breaches Happen?

A data breach is an encompassing term, defined by IBM as “any security incident in which unauthorized parties access sensitive or confidential information, including personal data and corporate data” (Kosinski 2024).  Data breaches can manifest in many ways as threat actors exploit different vulnerabilities within a company or system to gain access to sensitive information. According to data collected by The U.S. Department of Health and Human Services, 739 healthcare data breaches were reported in 2023. Of these breaches, 80% were determined to have been caused by hacking or another related IT incident (Definitive Healthcare 2024). These types of attacks often include phishing, social engineering, and malware attacks.

Phishing often takes place through company email domains in which threat actors send employees emails posing as executives or another trusted source, often including links, which, if interacted with, give the threat actor access to company systems or data.

Social engineering occurs when a threat actor manipulates an executive or employee into sharing sensitive company information or giving access to company systems, compromising security.

Malware attacks involve threat actors using harmful software to cause damage or exploit company systems to access sensitive data.

Often these strategies are used in conjunction with one another to infiltrate a company’s systems and gain access to data. Without the proper education and implementation of policies and systems to mitigate the threat of these attacks, executives and their companies within the healthcare field and beyond are at risk of falling victim to this ever-growing threat.

The Cost of a Data Breach

With the potential for identity theft and other illicit activities resulting from data breaches, it is clear how significant of a threat these attacks are to consumers. However, it is equally as important to consider how detrimental data breaches can be to the executives and companies that fall victim. A 2024 report published by IBM highlights the massive cost of data breaches over the past year. This year, the average data breach costs companies $4.88 million globally. This is a 10% increase from 2023. Data breaches in the U.S. cost $9.36 million on average, the most of any country (Team Spycloud 2024).

Focusing specifically on the healthcare sector, with the vast amount of sensitive PII stored in databases, reports show that it is the most expensive industry when it comes to data breaches.

As of last year, IBM reports show healthcare data breaches cost an average of $11 million dollars in the U.S. leading all other industries for the 13th year in a row. As the amount of digitally stored data rises over the years, so does the threat of cyber-attacks resulting in the ever-growing cost of such breaches. The cost of a data breach within the healthcare industry has risen 53% since 2020 (Olsen 2023). With the healthcare industry being one of the most common and susceptible targets for these attacks, executives in the field need to understand how these breaches happen and actively implement strategies to minimize the risk of their data being vulnerable to threat actors, as well as have the preparedness to respond effectively in the situation that their data is compromised to mitigate damage to their consumers, their reputation, and their pockets.

Notable Data Breaches In Healthcare

In March of this year, Kootani Health, a healthcare provider located in Idaho, fell victim to a data breach by a well-known ransomware group known as ‘3am ransomware’. The breach led to the disclosure of PII for over 464,000 patients. The exposed information included patient data such as names, SSNs, government IDs, as well as insurance information (Toulas 2024). The financial impact of this breach is yet to be fully understood as the company has been issuing notices to those affected and financial claims are ongoing.

In early May 2024, suspicious activity was detected on systems used by Ascension, one of the largest health systems in the U.S. This activity was determined to be a ransomware attack, which resulted in major issues in vital functions amongst the 140 hospitals throughout the U.S. This included disrupted ambulance communications, operational delays, and prescription issues (Forbes Technology Council 2024). Similarly to the Kootani breach the financial implications are still not fully clear, but they are expected to be well over the $11 million average of healthcare breaches due to the large scale and ongoing impact. These recent examples are just two out of hundreds of their kind, just this year, that paint the picture of the danger of data breaches in the healthcare industry.

Preventative Measures

Understanding the danger executives and companies within the healthcare industry face against cyber threats is only half the battle. With millions of dollars, quality of care, and corporate reputations on the line, preventative action is paramount. Understanding the necessity for extensive cybersecurity for executives leads to a search for the most effective measures. Effectiveness within the industry lies within proactive measures versus reactive.

Through our tiered system of industry-leading Digital Executive Protection, 360 Privacy offers the most comprehensive package for the initial analysis, consistent monitoring, and tailored security training available. As opposed to using artificial intelligence or other less effective automated systems, 360 Privacy has a team of in-house experts, working every day on the removal of client PII from over 400 data broker sites, protecting executives from threat actors. Beyond the separating factors of human analysis and the manual removal of data, 360 also employs a sophisticated monitoring system to be alerted and take immediate action against any repopulation of data or any leak of sensitive information before it can be exposed and used for illicit activity. Lastly, 360 Privacy offers dedicated training to educate executives and employees about cyber threats and integrate procedures and protocols to minimize those threats and maximize the security of the valuable data the company is responsible for.

The expertise and human element provided by 360 Privacy’s protection ensures the most effective and comprehensive digital protection plan available. It gives executives in the healthcare industry and beyond the ability to have peace of mind knowing their responsibility to their employees and consumers of protecting their sensitive data is dutifully managed and their reputation protected.