Breach, Zero trust, Ransomware

Breaches exposed 45.67M patient records in 2021, largest annual total since 2015

The healthcare sector saw a record number of data breaches in 2021, led by hacking and IT incidents. Those negative trends are expected to continue in the coming year. (Photo credit: “Working in the Trans-NIH RNAi Facility” by NIH-NCATS is marked with CC PDM 1.0)

Hacking and IT incidents were the leading culprits of healthcare data breaches in 2021, increasing by 10% from the previous year, according to a new Critical Insight report. In total, there were 500 incidents tied to hacking last year, compared with 455 in 2020.

The report analyzes breaches of protected health information reported to the Department of Health and Human Services by covered entities and business associates last year. It confirms that PHI was exposed at the highest levels seen since 2015.

In total, 45.67 million patient records were breached last year. The only year to surpass that total in the last 11 years was 2015 and only did so due to one singular breach reported by Anthem, a hacking incident that led to a potential data theft impacting nearly 80 million patients.

The breach tally in 2019 nearly reached 2021’s total with 42.37 million records compromised. A recent Fortified Health Security report confirms these statistics.

While concerning, the Critical Insight report shows that hacking and IT incidents grew at a slower rate than in previous years. For all intents and purposes, the rate of data breaches are relatively flat, with just a 2.4% year-over-year increase.

As noted in several recent reports, 2021 saw some of the most frequent, massive healthcare data breaches since HHS began recording these incidents. In addition, the number of reported breaches and the number of individuals affected slightly declined during the second half of 2021 in comparison with the first half of the year.

Critical Insight researchers explained that it’s “too early to tell if that modest improvement represents the beginning of a longer trend in the right direction.”

Namely, the total number of reported breaches has been steadily increasing since 2018, with an 84% increase between 2018 and 2021. In fact, “Breaches have actually declined over the past two reporting periods, going from 393 in the second half of 2020 to 368 in the first half of 2021 to 311 in the second half of the year.”

“The baseline is so high that the total number of individuals affected in 2021 hit a high of 45 million, up 20% from 34 million in 2020,” according to the report. And it’s of particular concern, as last year’s breach tally is three times as what was reported in 2018, at just 14 million compromised records.

Further, the spike in reported breaches during the second half of 2020 might have been caused by reporting delays due to the pandemic, or undetected dwell time.

The researchers believe there are several possibilities for the decline, such as, hopefully, security teams have indeed improved their defenses in response to the massive surge in attacks in 2020.

Just who is falling victim? The data confirm that healthcare providers reported the most breaches, with 493 attacks in 2021, a slight improvement over the 515 reported in 2020. It’s important to note that in several massive third-party breaches, like the Accellion hack, were reported to HHS by the covered entity despite the third-party cause.

The report also shows cyberattacks against health plans rose 35% from 2020 to 2021. Reported business associate attacks also increased between the reported time period, by 18%.

As reported earlier by SC Media, vendor incidents were behind the biggest breaches in healthcare and more than other entities. The Critical Insights report confirms vendors caused 13% of the incidents, but accounted for 24% of the total affected records.

Lastly, outpatient and specialty clinics are now seeing more hacking or IT incidents than hospitals, seeing a 41% increase in those particular incident-types last year, in comparison to 2020 stats.

Despite any positive trends, it’s certainly not a call to slow these critical cybersecurity improvements. In the coming year, data show that hackers are aiming to exploit bigger targets and leveraging more sophisticated means to accomplish their goals, including targeting known vulnerabilities in the healthcare supply chain.

In particular, Michael Hamilton, Critical Insight CISO explained in the report that ransomware attacks will continue to be a problem across all sectors, despite federal government efforts to disrupt the supply chain.

As such, provider organizations should review the ways hackers are gaining access to health information, which include third-party software vulnerabilities (like in the Accellion incident) and misconfigured databases (as seen with the 20/20 Eye Care network hack).

In light of the continued attacks against supply chain and third-party vendors, healthcare organizations should pay particular attention to these access points and security requirements.

As Amir Magner, founder and president of CyberMDX, previously told SC Media, the ideal scenario would see healthcare entities adopting a zero-trust mindset, requiring each device, user, and resource to be identified before authenticating to the network and granting “minimal access they need to function, based on a trust policy defined especially for them.”

While ideal for most scenarios, zero trust would greatly benefit unmanaged devices where it “usually translates to contextual micro-segmentation, which relies on very strong identification of devices and fine-tuned allow-list policies that enables access to/from their legit ecosystem, excluding all other interactions,” he added.

“More simply, it segments the network so that users only have access to what they need to do their jobs. Why should the accounting department have network access to the devices radiology suite? Or why would the security cameras ever be connected to patient monitoring devices in the nurses’ station,” Magner concluded. “It doesn’t make sense.” 

By steadily adopting the zero-trust model, entities can stop attackers from moving laterally across the network to contain breaches.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.