Banner

Article

Health care data breaches decline, but threats remain

Author(s):

Growth in remote work, cloud data storage present opportunities for hackers

The first half of 2022 saw some gains in the battle to safeguard health care records, a new report finds, but progress remains uneven. 

According to cybersecurity firm Fortified Health Security, the number of data breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights affecting at least 500 health records dropped by 8.4% compared to the same period in 2021, from 368 to 337.

In addition, the number of records affected by breaches was down by about 40% from the first half of 2021, although was still 138% higher than 2020. Health care providers accounted for the great majority of the breaches with 72%, followed by business associates (16%) and health plans (12%).

“While the trendline from mid-year 2021 to today is down, overall breach numbers and affected records remain stubbornly high,” the report states. “The potential attack surface for hospitals and health systems continues to grow as employees work remotely and more medical, financial, and operational technologies move to the cloud.”

While it’s too soon to know, this year’s dropoff in reported data breaches may be an anomaly. According to the report, it was only the second time since 2010 that the number of reported breaches saw a year-over-year decline.

In terms of causes of breaches, those the report calls “malicious attacks” increased to 80% from 73% in the first six months of 2021. The rest were attributed to unauthorized access, theft, loss or improper disposal. It marked the sixth consecutive year malicious attacks was the leading cause of breaches.

The report found that breaches were heavily concentrated among a relatively small number of health care organizations, with seven entities accounting for 31% of 2022’s total to-date. Among these have been an imaging provider (two million records), a California health plan (854,000), a billing company (510,000) and a business service provider (500,000).

“The continued prevalence of healthcare cyberattacks should serve as a wakeup call for all healthcare leaders to assess their current security postures and take action to decrease risk and increase visibility and capabilities,” the report says.

Related Videos