Critical Insight reports decrease in total breaches in healthcare, but increase in number of individuals affected

Critical Insight released this week its H1 2023 Healthcare Data Cyber Breach report that builds on its biannual analysis of data breaches reported by healthcare organizations to the U.S. Department of Health and Human Services (HHS). It records 40 million individuals exposed to healthcare cyber breaches despite an overall decline.

The Critical Insight report revealed a decrease in total breaches but an increase in the number of individuals affected; the focus of attacks on the supply chain and third-party associates; and, particularly noteworthy, the shift in some attackers’ strategies from encryption to extortion. The report also identified an evolution in attack tactics with fewer, but bigger breaches, which reflects consolidation within the industry and the evolving tactics of attackers.

While the first six months of the year saw an encouraging decrease in the overall number of data breaches impacting healthcare organizations, it was overshadowed by large-scale breaches resulting in a significant increase in the number of individuals affected, which reached record levels. The report found that 2023 is on pace to break the record for individuals affected by breaches. 

“The results of this analysis support the hypothesis that cybercriminals are continually evolving their tactics to minimize risk and maximize the return on effort,” Mike Hamilton, founder and CISO at Critical Insight, said in a media statement. “Focusing on business associates that perform a service for covered entities should give all these providers pause. Fines, additional regulatory scrutiny, class actions, and enforcement of the false claims act will affect these organizations for years.”

The report also disclosed that healthcare providers remain a prime target for hackers, despite their widespread focus on every link in the supply chain. “In fact, 65% of healthcare breaches in the first half of 2023 specifically targeted healthcare providers. However, the good news is that the data from this period suggests that we are on track to experience fewer provider breaches compared to the previous three years,” it added. 

In recent years, hackers have intensified their attacks on third-party business associates, raising alarms among healthcare providers, Critical Insight reported. “While the percentage of provider breaches has shown a slight decline, from 81% in the second half of 2019 to the current 65%, a concerning trend has emerged.” 

Critical Insight’s analysis of breach data supplied to HHS reveals the following key findings.

• Breach Numbers Decrease: Total breaches dropped 15 percent in the first six months of 2023 compared to the second half of 2022, which is a positive trend considering the steady increase in attacks over the past few years. The reduced number of breaches in the first half of this year suggests that the overall number may be lower for the entire year. This year is on track to record the fewest breaches since 2019 and experience fewer provider breaches compared to the previous three years.
• Exposed Records Increase: Individual records compromised in data breaches surged by 31 percent in the first half of 2023 compared to the second half of 2022. Despite declining over the latest reporting period, the number of individuals affected increased from 31 million in the second half of 2022 to 40 million in the first half of 2023. With the first half of this year at 40 million, the number in just a six-month reporting period is already 74 percent of the total number of individuals affected in 2022, representing the highest number on record for six months.
• Data Breach Causes: Hacking/IT incidents were the primary cause, accounting for 73 percent of breaches in the first half of 2023. Compared to the first-most affected breach type in the previous reporting period, unauthorized access/disclosure was the second-most prevalent type in the first half of 2023. Theft, losing records, and improper disposal were relatively insignificant contributors to data breaches.
• Hacker Entry Points: The focus on network server vulnerabilities and the adaptation of defense against email-related hacks point to a continual evolution in the cyber landscape. Hackers have shifted their tactics towards targeting network vulnerabilities. Network server breaches are responsible for a staggering 97 percent of individual records affected, while only 2 percent can be attributed to email breaches.
• Evolved Attacker Tactics: Hackers have intensified their attacks on third-party business associates as breaches associated with business associates have steadily risen and were significantly higher than individuals affected in healthcare provider and health plan-related breaches. Of the 40 million exposed records, 48 percent were linked to business associates, while 43 percent were associated with healthcare providers. In the first half of 2023, 50 percent of individuals impacted by a breach had a business associate present.

The report also pointed out that attackers seem to be changing strategies, some employing ‘double extortion’ in which they charge victims once for decryption and once for the stolen data. “Others are shifting away from encryption to solely ‘single-extortion’ in which they demand payment for stolen data. Without the revenue from encryption, some criminals have also reached out directly to patients, demanding money,” it added. 

“Our report found that hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies, that offer services to healthcare organizations emphasizing the importance of effective incident response planning and proactive defense strategies,” John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at CHRISTUS Health, said. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”

To adequately prepare, the Critical Insight report said that organizations should start with an incident response plan and a NIST-CSF-based risk assessment to build a multi-year strategy; and track the cyber hygiene of its critical partners essential to maintaining a more secure environment. It also suggests placing robust focus on safeguarding third-party vendors, business associates, and suppliers from vulnerabilities; ensuring support from the board, and emphasizing the most critical impact for the investment.

Last month, the Health Sector Cybersecurity Coordination Center (HC3) in the HHS revealed that vulnerabilities affecting the health sector in June have been identified and require prompt attention. The HC3 bulletin has identified security loopholes in hardware from various vendors, including Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMware, and Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.