The average financial cost of a data breach in healthcare entities continually exceeds other industries. According to the 2020 IBM Cost of a Data Breach report, an average data breach in healthcare costs $7.13 million. Additionally, breaches tend to have longer lifecycles in healthcare systems: an average of 329 days in 2020, compared to the 280-day average among all industries.
All data breaches involve direct and indirect costs, no matter the industry. These costs typically include investigation, mitigation and potential litigation not to mention any ransoms paid. There are also costs associated with unplanned downtime, compromised personal data and intellectual property, and reputational damage.
Healthcare entities face these costs when a breach occurs. But they must also account for other immediate and long-term impacts of an incident given their circumstances and the types of data they possess.
For instance, if their networks are held for ransom, they often cannot access information that’s essential to patient care. If the highly sensitive data they protect is stolen, their patients could endure consequences for years to come.
The best way to reduce such costs during an incident is to be prepared. Here’s how you can build a robust cybersecurity plan to weather the storm.
Here are several real examples of the cost of data breaches in healthcare entities beyond mitigation and litigation.
The FBI does not recommend paying ransoms to cybercriminals. But most healthcare entities can’t afford to lose access to their data and networks for extended periods. They also can’t afford to have sensitive personal information and data released or compromised. So, there are many examples of healthcare systems paying ransoms to regain access and save their data—as well as patient lives.
Ransom Paid: $17,000
In February of 2016, cybercriminals took over computers at Hollywood Presbyterian Medical Center in Los Angeles, California, using the Locky ransomware. The organization paid a bitcoin ransom equal to $17,000.
Locky Ransomware is a malware attack delivered in an attachment as part of a phishing campaign. The attachment is typically a Microsoft Word file, though it may appear as a PDF or be otherwise hidden. It is a two-step social engineering campaign. The user opens the attachment (step one) and enables the macros within so they can read the file (step two). This triggers the download of an executable and the ransomware can then spread within the network.
Ransom Paid: $90,000
In May of 2017, a WannaCry Ransomware attack affected multiple industry organizations at once, including about 40 U.K. hospitals in the National Health System (NHS). This incident meant hospitals had to redirect ambulances and couldn’t perform certain medical procedures. A total of $90,000 was paid to restore access across all organizations.
WannaCry Ransomware involves a virus that is embedded in .zip files and delivered to users as an email attachment. The virus starts a countdown toward deleting files unless a ransom is paid, and the ransom continually increases throughout the countdown. This ransomware exploits a vulnerability in Windows.
Ransom Paid: Undisclosed
In October of 2019, Ryuk Ransomware affected three hospitals within Alabama’s DCH Health Systems. The hospitals could not access important files and had to resort to pen and paper methods, and they couldn’t accept new patients. The health system agreed to pay an undisclosed ransom amount.
Random Paid: Undisclosed
In December of 2019, Hackensack Meridian Health (HMH) in New Jersey was affected by an undisclosed ransomware attack. The attack restricted important software, many medical procedures had to be postponed, and hospital staff had to use pen and paper methods. HMH did not disclose the amount they paid in ransom. And they faced a class-action lawsuit following the incident.
Ransom During COVID-19 Surge
When patient numbers were first escalating at hospitals in the U.S. and Europe, cybercriminals took opportunities to exploit the situation. They would take systems for ransom with the threat of publishing patient records. Maze Ransomware was a commonly used attack in the U.K.
Patient records, which include personally identifiable information (PII) and protected health information (PHI), are highly valuable to cybercriminals. And they can be exploited to a detrimental degree. As such, they can be worth up to $1,000 each.
Patient Records Breached: 130,000
In 2019, cybercriminals breached 130,000 records at Kalispell Regional Healthcare (KRH) in Montana. They achieved this through an email phishing scam. It took months for KRH to detect the breach. In December of that same year, a lawsuit was brought against KRH and they eventually reached a settlement of $4.2 million with those affected. Importantly, KRH was ranked among top organizations in terms of cybersecurity. Yet, they still had several identifiable deficiencies that made them vulnerable to this breach.
Patient Records Breached: 35,000
In January of 2018, a cybercriminal breached the email accounts of employees at ATI Physical Therapy in Illinois. The breach involved over 35,000 records. For some patients, their Social Security numbers, bank account numbers and medical record numbers were breached.
Patient Records Breached: 134,512
Also in January of 2018, a malware attack affected St. Peter’s Surgery and Endoscopy Center, and they were able to detect it within 24 hours. Over 134,000 records were exposed, which included personal and medical information. Some patients also had their Medicare data breached.
Patient Records Breached: 19,000
From June to July of 2017, more than 19,000 patient records were exposed during a ransomware attack at Medical Oncology Hematology Consultants in Delaware. A third-party forensic analysis was conducted that did not find patient files were accessed.
Patient Records Breached: 106,000
In March of 2017, over 106,000 patient records were potentially breached during a ransomware attack at Mid-Michigan Physicians Imaging Center. Records included Social Security numbers and other personally identifiable information, as well as medical information. The forensic analysis of this attack did find certain patient files were accessed.
Patient Records Breached: 176,295
From February of 2016 to May of 2017, a cybercriminal had breached the systems of PeachTree Neurological Clinic in Atlanta, exposing the records of over 176,000 patients. This breach was only discovered during the investigation of another ransomware attack.
When a healthcare entity must postpone procedures, can’t access important records, or suffers a data breach that exposes personal and medical information, it’s easy to imagine the risks involved. Unfortunately, in some cases, those risks do play out and become realities.
A researcher at Vanderbuilt University’s Owen Graduate School of Management, Dr. Sung Choi, was able to quantify this cost in 2018, comparing mortality rates and determining that data breaches at hospitals could be linked to thousands of patient deaths. The research showed an increase in mortality rate of 0.23 percent one year post-breach and an increase of 0.36 percent two years post-breach. This came to over 2,100 deaths.
In fact, one recent ransomware attack at a hospital in Germany is potentially linked directly to a patient death. In September of 2020, Düsseldorf University Hospital experienced a ransomware attack that affected their IT network. A 78-year-old patient who had suffered from an aneurysm died when rerouted from this hospital to a different location via ambulance.
Exposed personal information also leaves patients and individuals susceptible to danger. Their identifying information in the hands of someone with ill intentions could have serious consequences. For example, one foster family received death threats when their personal information was leaked to the birth family. Once the leak was discovered, the child was removed from the foster family, as the birth parents were known to have threatened social workers previously. Then, the family received a phone call and text messages in which their lives were threatened. They were forced to temporarily relocate for their own safety.
Medical Identity Theft
Finally, there are significant consequences for patients when their personal and medical data are compromised, stolen and used. This information can be used to perpetrate medical fraud, and patients are often left footing the bill in order to maintain coverage, avoid collections and restore their identities so they can get treatment and prevent further fraud.
Considering the tremendous and varied costs associated with a data breach, it pays to be prepared. Leaders at healthcare entities should take steps to bolster their cybersecurity efforts, spread awareness throughout their organizations to combat social engineering, and prepare themselves for an inevitable breach.
Awareness and prevention are the best gatekeepers when it comes to protecting your systems and data. But a well-laid, practiced incident response plan is your best offense.