Network Assured shared the results of a recent study on cyberattacks against U.S. healthcare organizations. It looked at the total number of data breaches historically, the number of individuals affected, and the financial cost of each breach. One of the starker findings of the report was that two of the worst healthcare data breaches in U.S. history happened in the past 12 months.

Is Healthcare Cybersecurity Getting Worse?

Despite a minor decrease in the number of attacks against healthcare organizations from 2021 (715 breaches) to 2022 (707 breaches) the severity of attacks by records compromised, continued to increase.

Further reading: How to Prevent and Address Healthcare Cyberattacks

The breach of OneTouchPoint Inc. saw 4,112,892 records compromised. It was the largest healthcare data breach of 2022 and the 9th largest of all time. The breach of Advocate Aurora Health saw more than 3 million patients’ data compromised. It was the 2nd largest healthcare breach of 2022 and the 10th largest of all time.

Other study results indicated that:

  • The healthcare data of minors was a particular focus of 2022 cyberattacks. The 2022 breach of Connexin Software, that provides management software for pediatric practices, saw the healthcare records of more than 2 million minors compromised.
  • Ransomware, malware, and phishing emails were involved in the majority of the year’s worst data breaches.
  • A higher volume of smaller healthcare organizations are being affected: While the largest breach of all time was in 2014, the latest year saw more individual organizations affected by data breaches than ever before.

Third-party Vendors a Primary Cause of Healthcare Data Breaches

The report found that insecure third-party vendors were a consistent cause of high impact data breaches. Both the worst healthcare breach of 2022, and the second worst of all-time came due to business associates failing to properly secure patient information.

Dark Web Incentivizing Healthcare Cyberattackers

The report found that patients healthcare data obtained through cyberattacks is most commonly sold. On the dark web, an individual healthcare record can be worth as much as $250.

“A complete medical record contains all of a someone’s personal identifying information,” saysthe report’s author Aaron Weissman. “That information can be used to register identification documents or apply for credit cards. Even incomplete medical records can be aggregated with other stolen information to create a complete individual identity profile.”

Basic Cybersecurity Practices Lacking in Healthcare

The report challenges the narrative that the increasing severity of cyberattacks is a result of the increasing sophistication of malicious actors. In many of the worst data breaches on record, investigators found that even basic cybersecurity practices were lacking.

In the worst healthcare breach of all time, investigators cited “a lax credential management policy and a lack of a risk management program” as a causal factor in the attack. The second largest healthcare data breach of all time, was “determined to have occurred because of the lack of a cybersecurity program.”

To see the complete findings, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see visit the study here.

Featured graphic: The worst healthcare data breaches of 2022 according to Network Assured. Image: Network Assured