Fewer, but larger, healthcare data breaches reported in 2023 with hackers often targeting 3rd parties

The healthcare industry has suffered fewer but larger cybersecurity breaches in the first half of 2023, suggesting a shift in targets and tactics among attackers, wrote cybersecurity firm Critical Insight in a new report.

The 308 healthcare data breaches reported to the federal government from January through June represent a 15% sequential decline from the back half of 2022’s 363, according to the report.

It puts the industry on pace to close the year with the fewest breaches since 2019, the firm wrote. The 202 reported breaches specifically targeting providers is similarly a cutback from the past three years’ breach frequency.

On the other hand, the number of individuals affected by these breaches has jumped from the 31 million of the second half of 2022 to a new record of 40 million, representing an average of 131,000 impacted individuals per breach, Critical Insight wrote, fueled in part by the third-largest (Managed Care of North America, 8.9 million individuals) and fourth-largest (PharMerica, 5.8 million individuals) breaches ever recorded as well as “numerous other breaches” affecting about 3 million people.

Nearly three-quarters of the breaches were tied to hackers, with unauthorized access/disclosure breaches also jumping in prevalence from 15% across 2022 to 23% at the beginning of 2023.

Though those trends are generally in line with what Critical Insight has seen since 2019, the firm’s founder and chief information security officer said it’s the shifting targets and tactics that “should give all these providers pause.”

Breaches associated with third-party business associates have “steadily risen” from 10% in the beginning of 2019 to 21% in the most recent six-month period, according to the report. These breaches were responsible for nearly half of all affected individuals and averaged over 304,000 impacted individuals per breach.

“Our report found that hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies, that offer services to healthcare organizations emphasizing the importance of effective incident response planning and proactive defense strategies,” John Delano, healthcare cybersecurity strategist at Critical Insight as well as a vice president at Christus Health, said in a release. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”

Health plans represented the remaining 14% of reported breaches but just 9% of impacted patient records.

The shifting tactical landscape extends to attackers’ most common points of entry.

Whereas hackers’ successful attempts were most often the result of an email breach in 2019, the first half of 2023 had 77% of breaches targeting network servers as the point of entry with email-related breaches just 19% of reported incidents.

Organizations have since improved their defenses against phishing attacks, resulting in a consistent decline in email-related hacks. As a result, hackers have shifted their tactics toward targeting network vulnerabilities, the firm wrote, while noting that network service breaches were responsible for 97% of affected individual records.

Hospitals were the most common target among provider organizations with 37 reported hacking or IT incidents in the first half of 2023, down from 49 in the later part of 2022. These were followed by 26 impacted specialty clinics, down from a high of 59 during the prior period, and 15 behavioral health providers, up slightly from 14 previously.

Cybersecurity breaches ran healthcare organizations an average of $10.1 million each during 2022, a 9.4% increase over 2021 that’s well above what other sectors of the economy are forced to spend.

The incidents have rolled on during the summer. Major for-profit hospital chain HCA Healthcare disclosed in July an 11 million-patient data breach, though it said during a recent earnings call that it does not expect the breach to have a material impact on its business.

Meanwhile, an early August cyberattack across Prospect Medical Holdings forced affiliate health systems to bring some computer systems offline and limit certain services. As of this week, reports indicate that certain facilities and systems are still tied up with no definitive restoration timeline available.