The average financial cost of a healthcare data breach continually exceeds other industries. According to the 2020 IBM Cost of a Data Breach report, an average hospital data breach in healthcare costs $7.13 million. Additionally, breaches tend to have increased lifecycles in healthcare systems: an average of 329 days in 2020, compared to the 280-day average among all industries.
All healthcare data breaches involve and impact direct and indirect costs, no matter the industry. These costs typically include investigation, mitigation and potential litigation not to mention any ransoms paid. There are also costs associated with unplanned downtime, compromised personal data and intellectual property, and reputational damage.
Healthcare entities face these costs when a breach occurs. But they must also account for other immediate and long-term impacts of an incident given their circumstances and the types of data they possess.
For instance, if their networks are held for ransom, they often cannot access information that’s essential to patient care. If the highly sensitive data they protect is stolen, their patients could endure consequences for years to come.
The best way to reduce such costs during an incident is to be prepared. Here’s how you can build a robust cybersecurity plan to weather the storm.
Here are several real examples of the cost of a healthcare data breach in healthcare entities beyond mitigation and litigation.
The FBI does not recommend paying ransoms to cybercriminals. But most healthcare entities can’t afford to lose access to their healthcare data, resources, services, and networks for extended periods. They also can’t afford to have sensitive personal information and data released or compromised. So, there are many examples in the news of healthcare systems and healthcare organizations paying ransoms to regain access and save their cyber data—as well as patient lives.
In February of 2016, cybercriminals took over computers at Hollywood Presbyterian Medical Center in Los Angeles, California, using the Locky ransomware. The organization paid a bitcoin ransom equal to $17,000.
Locky Ransomware is a technology based malware attack delivered in an attachment as part of a phishing campaign. The attachment is typically a Microsoft Word file, though it may appear as a PDF or be otherwise hidden. It is a two-step social engineering campaign. The user opens the attachment (step one) and enables the macros within so they can read the file (step two). This triggers the download of an executable and the ransomware can then spread within the network.
In May of 2017, a WannaCry Ransomware attack affected multiple industry organizations at once, including about 40 U.K. hospitals in the National Health System (NHS). This incident meant hospitals had to redirect ambulances and couldn’t perform certain medical procedures. A total of $90,000 was paid to restore access across all organizations.
WannaCry Ransomware involves a virus that is embedded in .zip files and delivered to users as an email attachment. The virus starts a countdown toward deleting files unless a ransom is paid, and the ransom continually increases throughout the countdown. This ransomware exploits a vulnerability in Windows.
In October of 2019, Ryuk Ransomware affected three hospitals within Alabama’s DCH Health Systems. The hospitals could not access important files and had to resort to pen and paper methods, and they couldn’t accept new patients. The health system agreed to pay an undisclosed ransom amount.
In December of 2019, Hackensack Meridian Health (HMH) in New Jersey was affected by an undisclosed ransomware attack. The attack restricted important software, many medical procedures had to be postponed, and hospital staff had to use pen and paper methods. HMH did not disclose the amount they paid in ransom. And they faced a class-action lawsuit following the incident.
When patient numbers were first escalating at hospitals in the U.S. and Europe, cybercriminals took opportunities to exploit the situation. They would take systems for ransom with the threat of publishing patient records. Maze Ransomware was a commonly used attack in the U.K.
Patient records, which include personally identifiable information (PII) and protected health information (PHI), are highly valuable to cybercriminals. And they can be exploited to a detrimental degree. As such, they can be worth up to $1,000 each.
In January of 2018, a cybercriminal breached the email accounts of employees at ATI Physical Therapy in Illinois. The breach involved over 35,000 records. For some patients, their Social Security numbers, bank account numbers and medical record numbers were breached.
Also in January of 2018, a malware attack affected St. Peter’s Surgery and Endoscopy Center, and they were able to detect it within 24 hours. Over 134,000 records were exposed, which included personal and medical information. Some patients also had their Medicare data breached.
From June to July of 2017, more than 19,000 patient records were exposed during a ransomware attack at Medical Oncology Hematology Consultants in Delaware. A third-party forensic analysis was conducted that did not find patient files were accessed.
From February of 2016 to May of 2017, a cybercriminal had breached the systems of PeachTree Neurological Clinic in Atlanta, exposing the records of over 176,000 patients. This breach was only discovered during the investigation of another ransomware attack.
When a healthcare entity must postpone procedures, can’t access important records, or suffers a healthcare data breach that exposes personal and medical information, it’s easy to imagine the risks involved. Unfortunately, in some cases, those risks do play out and become realities.
In fact, one recent ransomware attack at a hospital in Germany is potentially linked directly to a patient death. In September of 2020, Düsseldorf University Hospital experienced a ransomware attack that affected their IT network. A 78-year-old patient who had suffered from an aneurysm died when rerouted from this hospital to a different location via ambulance.
Exposed personal information also leaves patients and individuals susceptible to danger when there is data breach in healthcare. Their identifying information in the hands of someone with ill intentions could have serious consequences. For example, one foster family received death threats when their personal information was leaked to the birth family. Once the leak was discovered, the child was removed from the foster family, as the birth parents were known to have threatened social workers previously. Then, the family received a phone call and text messages in which their lives were threatened. They were forced to temporarily relocate for their own safety.
Outside of the financial cost of a healthcare data breach, there are significant consequences for patients when their personal and medical data are compromised, stolen and used. This information can be used to perpetrate medical fraud, and patients are often left footing the bill in order to maintain coverage, avoid collections and restore their identities so they can get treatment and prevent further fraud.
Considering the tremendous and varied costs associated with a medical data breach, it pays to be prepared. Leaders at healthcare entities should take steps to bolster their cybersecurity efforts, spread awareness throughout their organizations to combat social engineering, and prepare themselves for an inevitable breach.
Awareness and prevention are the best gatekeepers when it comes to protecting your systems and data. But a well-laid, practiced incident response plan is your best offense.