Hackers shifting focus to small hospitals, clinics and tech companies to siphon off patient data, report finds

Healthcare continues to be a top target for cyberattacks but hackers have pivoted their focus from large healthcare systems to smaller hospitals and specialty clinics and third-party vendors.

Among cyberattacks against providers in the first half of 2022, breaches associated with specialty clinics rose from 23% in 2021 to 31% this year, according to a report from cybersecurity firm Critical Insight.

Attacks against specialty clinics made up 20% of breaches in the first half of 2019.

For the report, the firm analyzed ​​breach data reported to the U.S. Department of Health and Human Services by healthcare organizations.

Hospital systems accounted for 29.6% of reported breaches so far in 2022.

Hackers are also targeting physician groups. The number of attacks on physician groups has increased from 2% of total breaches in the first half of 2021 to 12% in the first half of 2022.

While large hospital systems and payers represent bigger targets that would likely yield the most data these companies also have more sophisticated defenses.

Smaller hospital systems and specialty clinics often lack the same level of security preparedness, staff size or budget and have weaker cyber defenses.

"Attackers are continuing to push the envelope and change the playing field when it comes to healthcare data breaches and attacks,” said John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at Christus Health in a press release “This move from large hospital systems and payers to smaller entities that truly have a deficit when it comes to cyber defenses, shows a massive change in victims and approach. As we continue into 2022, we anticipate attackers to continue to focus on these smaller entities for ease of attack, but also for evasion of media attention and escalation with law enforcement.”

Healthcare services and supplies, which include pharmacies, medical supply companies and provider alliances, accounted for 14% of breaches in the first half of 2022, up from 10% in the second half of 2020. In fact, the percentage of breaches linked to service and supplies has risen every reporting period since the second half of 2019, when it was only 5% of total breaches.

Healthcare providers still represent the most frequent target, accounting for 73% of total breaches in the first half of 2022. Business associates now represent 15% of cyber incidents and health plans 12%.

The unrelenting barrage of cyberattacks against healthcare organizations also is causing major financial damage as health systems struggle to mitigate the costs of data breaches. A healthcare data breach now comes with a record-high price tag—to the tune of $10.1 million on average, according to a recent IBM Security report.

Critical Insights' analysis found that the total number of data breaches affecting healthcare systems has receded since the high-water mark set during peak COVID. The number of reported breaches crested during the second half of 2020 when organizations were so distracted by the pandemic that attackers had an easier time breaching their defenses. Since then, the total number of breaches has slowly but steadily declined, from the peak of 393 to 367 in the first half of 2021, 344 in the second half of 2021, and 324 in the first half of this year. That marks a 6% decline from 2021 to this year.

But 324 breaches is still significantly higher than a typical half-year breach count at pre-pandemic levels, according to the report. Researchers estimate that total breaches for this year will be lower than 2020 or 2021, but still higher than 2019.

The number of patient records impacted by breaches has also declined. In the first half of 2022, 20 million individuals were affected by hacking incidents, marking a 10% drop compared to the prior six-month period and 28% less than the first half of 2021.

But so far this year attackers hit the jackpot with several mega-breaches. Eye Care Leaders, which offers an ophthalmology-specific electronic medical record (EMR) solution, was hit with a ransomware attack that exposed more than 2 million records.

Shields Health Care Group, which provides management and imaging services to more than 50 healthcare facilities, also reported a breach involving 2 million individuals. Partnership HealthPlan of California, a third-party entity that administers Medicare benefits, suffered a breach that affected 850,000 individuals. And Arizona’s Yuma Regional Medical Center disclosed that it was the victim of a ransomware attack that exposed the Social Security numbers and other personal information of 700,000 individuals

This trend of focusing on a systemic technology that is used across most healthcare providers is a trend that is expected to continue throughout the remainder of 2022, according to cybersecurity researchers.

Attackers are also putting a focus on systemic technologies, like EMR systems, to siphon as much data and cause as much operational damage as possible to push for ransom payments, according to the report. Hacking incidents on EMR systems soared from zero in the first half of 2020 to nearly 8% of all breaches in the first half of 2022. 

EMR systems have emerged as a serious target for hackers, and increasingly breaches are occurring on third-party business associates, rather than on providers themselves.

Along with ransomware attacks and unauthorized access of medical IT systems, the healthcare industry also is being warned about an ongoing scam involving medical workers.

The FBI issued a warning this week to those employed in the healthcare industry of scammers that are impersonating law enforcement or government officials in attempts to extort money or steal personally identifiable information (PII).

The scammers will often spoof authentic phone numbers and names and use fake credentials of well-known government and law enforcement agencies to notify the intended target they were subpoenaed to provide expert witness testimony in a criminal or civil court case. The healthcare professional is notified since they did not appear in court, they are in violation of the subpoena, have been held in contempt, and an arrest warrant has been issued for them.

Scammers then tell targeted victims that if they pay a court fine they will no longer be held in contempt, according to the FBI. The scammers use an "urgent and aggressive tone" coupled with scare tactics that claim the target victim is currently under surveillance and an arrest warrant will involve an early morning police raid. The intended victim is warned noncompliance will result in their medical license being revoked.

The FBI warning notes that law enforcement authorities or government officials will never contact members of the public or medical practitioners by telephone to demand any form of payment, or to request personal or sensitive information. Any legitimate investigation or legal action will be done in person or by an official letter, the FBI warning said.