Health Data Breaches on the Rise: What Does It Mean for Health Care Companies

The COVID-19 pandemic caused a surge of cyberattacks over the past two years as cyber criminals exploited lower security resulting from widespread remote work.

No American industry is more vulnerable to the swelling wave of cyber threats than health care, including U.S. hospitals, medical clinics and insurers. The mountains of sensitive personal health data stored in these institutions and companies is critical to each individual and of great importance to American society and our economy, making them prime targets.

In response, health care providers, digital health organizations and pharmaceutical companies are challenged to act now to demonstrate to patients and customers that they are fortifying their digital defenses and engaging stakeholders, including government officials.

A recent Politico analysis of US. Department of Health and Human Services data revealed “a threefold increase in three years” in unauthorized access to personal data held by health care and medical organizations, mostly from hacking. While breaches were widespread, it was most acute in Alaska, the District of Columbia, Florida, Nevada, New Mexico and Wisconsin.

Last year was the worst on record for the health care industry’s cybersecurity. In one report, more than 700 cyberattacks that involved 500 and more patient or customer records were compromised in 2021. That translates to 44 million plus stolen or accessed records from pharmacies, university medical systems and diagnostic providers, among others.

According to several reports, the health industry is the second most likely target of cyber criminals, just behind small businesses and just ahead of financial institutions, government agencies and higher education. The costs, financial and reputational, are significant, more than enough to keep CEOs, board members and CISOs awake at night.

Financial ramifications can be breathtaking, especially in the case of a ransomware attack. In regulated industries such as health care, costs are typically higher and include increased insurance, legal and customer reporting fees in addition to loss of customers and patients. The average cost per compromised record is $430, and the total average incident cost approaches a whopping $4 million.

The reputational ramifications are often more severe and longer lasting because your “good name” can take years to restore. It’s particularly true for health care companies that rely on the trust of patients to protect some of their most sensitive information.

When these organizations don’t communicate in timely, transparent and caring fashion, stakeholder trust plummets amid perceptions that organizational strength and competence are low. Other so-called “soft” costs include recruitment challenges, investor or shareholder concerns, reluctance of industry partners to collaborate and media digging into other problems, real and perceived.

Recent White House warnings about the growing potential of Russian cyberattacks against the United States were a wake-up call to business and industry, health care and medicine included. While health and medical organizations appear to take the warning seriously, they have a lot of lost ground to make up. While most industries are not keeping pace with the speed of security innovation, hospitals, medical device makers, health care specialists and others in the field have lagged even further behind.

Health care and medical organizations should start by examining their security budgets, which are among the lowest in comparison to other parts of the economy. Strategic investments in data security yield a high return.

Scenario planning and war-gaming are also essential. Responding to a health data breach for the first time is trying enough but doing so with little to no prior forethought or simulated training leads directly to mistakes with financial and reputational consequences.

Many in the industry do not have a communications playbook as part of a broader cyber security response plan. Proactive, strategic communications on the front end will solidify trust and reinforce confidence among customers and the public, providing reputational protection when the inevitable occurs. In addition to customer engagement, it should include development of third-party allies and relationship building with health and cyber security officials.

A playbook ensures timely and strategic engagement with internal and external stakeholders, consideration of mandatory disclosure triggers and the implications of the Health Insurance Portability and Accountability Act when sensitive patient health information is involved. Trust and confidence built over years can be wiped out in the immediate aftermath of a health data breach but can grow with fact-based, transparent and timely engagement.

For any health care or medical organization, time is critical when today’s perfect storm leads to a data breach. Developing a response structure and proactive strategic plan is vital to maintaining patient and customer confidence, fulfilling legal and regulatory requirements and strengthening trust and reputation over the long term.