The number of hacker attacks in the healthcare sector is growing, leading to the introduction of new regulatory requirements, scrutiny of health data breaches, and compliance initiatives related to the use of Dobbs and Pixel. In addition, the number of lawsuits against healthcare organizations for privacy violations has increased significantly. The heightened focus on data protection and compliance in HIPAA-regulated and other healthcare organizations has intensified. Anticipated rise in enforcement actions and privacy breach lawsuits in the upcoming year.
The Begging of Health Data Breaches Scrunity
The recently released BakerHostetler Data Security Incident Response Report (DSIR) sheds light on these issues and offers valuable insights into the threat landscape. This information can help organizations prioritize their efforts and investments. The report, now in its 9th year, is based on an analysis of 1,160 security incidents managed by BakerHostetler’s Digital Asset and Data Management Practice Group in 2022.
After a spike in ransomware attacks in 2021, there was a decline in such attacks in 2022. However, at the end of the year, there was a surge in attacker activity, which continued in 2023. The growth in the number of attacks was accompanied by an increase in the number of ransomware demands, ransoms paid, and the time required to recover from ransomware incidents. In 2022, six of the eight industries surveyed experienced an escalation in both average demands and ransom payments. In the healthcare sector, the average ransomware demand reached USD 3,257,688 (with a median of USD 1,475,000) in 2022, and the average payment increased by 78% to USD 1,562,141 (with a median of USD 500,000). Across all industries, the amount of ransoms paid increased by 15%, reaching $600,688.
Network intrusions saw a rise, becoming the top security incident, constituting nearly half of all described data incidents. Companies have enhanced detection and localization, reducing average downtime from 66 to 39 days in 2022. Localization time decreased from 4 to 3 days, and investigation period decreased from 41 to 36 days.
Evolving Cybersecurity Threats and the Battle to Stay Protected
The growing number of hacker and ransomware attacks has forced companies to make significant investments in cybersecurity. Despite efforts to strengthen defenses, cybercriminals have managed to find new ways to circumvent these defenses and launch systemic attacks. Techniques that have demonstrated success in 2022 include MFA bombardment, social engineering, SEO poisoning, and malware that bypasses electronic digital signatures (EDRs).
The costs associated with cyberattacks increased significantly in 2022. Forensic investigation costs increased by 20% year-on-year, as did business interruption, data analysis, notification, and remediation costs. Legal expenses related to data breaches also increased significantly as it became commonplace to file multiple lawsuits in response to such breaches.
Scrutiny of health data breaches involving between 10,001 and 500,000 records typically result in an average of 12-13 lawsuits. Moreover, even smaller data breaches involving less than 1,000 records now typically result in about 4 lawsuits. According to BakerHostetler, the number of lawsuits has doubled from the previous year, reaching a point where lawsuits have become almost inevitable after a data breach. Lawsuits are increasingly being filed for violations of state privacy laws. Moreover, with the new privacy legislation in four states in 2022 and another state preparing to introduce a new privacy law in 2023, the compliance landscape is becoming increasingly challenging.
Growing concern: Tracking technologies, privacy violations, and increased healthcare enforcement
During the summer of 2022, Markup/STAT published a report that brought attention to the extensive utilization of tracking technologies called pixels on hospital websites. Initially designed to improve website functionality, these code snippets unknowingly transmitted identifiable visitor information to third parties. The disclosure of this information caught the attention of regulatory bodies such as the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Federal Trade Commission (FTC). Consequently, these agencies issued guidance regarding the use of pixels. Violations of the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTC Act) pertaining to pixels became a focal point for enforcement actions. As a result, regulatory measures and lawsuits were initiated against healthcare organizations involved in such practices.
After the report’s release in June 2022, healthcare organizations faced over 50 lawsuits for privacy breaches related to pixels. Surprisingly, a subsequent study discovered that almost 99% of non-federal acute care hospital websites utilize data-transmitting pixels. However, only a small number of healthcare organizations have reported pixel-related breaches to the OCR so far. As a result, it is expected that the coming months will see a surge in HIPAA enforcement actions by the OCR and a significant increase in the number of lawsuits filed in response to these breaches.
The FTC and OCR emphasized prioritizing enforcement actions for breaches of reproductive health information. Enforcement actions are expected to target both HIPAA-regulated entities and non-regulated entities in the healthcare industry. The OCR’s Right to Access HIPAA enforcement initiative emphasizes the importance of compliance.
Expanding HIPAA Compliance: Employer-Sponsored Health Plans and Non-Healthcare Entities under Regulatory Scrutiny
Non-healthcare organizations are also being urged to prioritize HIPAA compliance, especially those with employer-sponsored health plans. Health plan breaches in 2022 saw a surge, triggering increased regulatory scrutiny by the OCR and Department of Labor. Additionally, state attorneys generally display rising interest in healthcare facilities, resulting in more HIPAA investigations and state law violations.
BakerHostetler’s analysis revealed a significant increase in espionage cases in 2022 and scrutiny of health data breaches. These cases involved healthcare professionals accessing medical records without authorization or attempting to divert controlled substances. This underscores the urgent need for reliable system activity and monitoring logs to quickly identify insider threats. As BakerHostetler notes, detecting hacking and ransomware incidents also depends on implementing systems that detect anomalies in system activity.
“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security, We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — help clients decide where to prioritize their efforts.”
Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team
