Data Privacy Week 2024: The Sickening Truth About Healthcare Cyberattacks and Examining how Cyber Insurance Can Impact Healthcare Providers
When individuals seek care from the medical industry, they anticipate that their problem will be fixed, rather than to have a whole new one created; unfortunately, this is the reality for millions of patients due to the number of data breaches that occur in the healthcare industry alone each year. According to HealthITSecurity, more than 540 healthcare organizations and 112 million individuals were affected by a data breach in 2023. The number of people who are affected by these breaches is only growing. While only 48.6 million were impacted by a healthcare data breach in 2022, this number grew to 112 million one year later, representing a significant increase of 63.4 million individuals being affected by a healthcare organization data breach.
The truth is, many have difficulty believing that a data breach will happen to them until it does. Organizations oftentimes have a hard time fathoming just how a cybersecurity attack can occur in their facilities. However, healthcare organizations are a continuing target for hackers and the number of breaches only seems to be increasing. When there is a cyber breach, it is nothing but costly. According to IBM security, the average healthcare data breach costs an organization, on average, 10.93 million dollars. This is due to incurring legal fees, paying damages to the individuals affected by the breach, absorbing remediation costs, and more. Hospitals and other healthcare organizations can save millions by implementing measures to prevent these attacks, including examining how cyber insurance could potentially reduce some of these exposures.
Data Privacy Week brings awareness to the issues at hand. The National Cybersecurity Alliance specifically dedicates the week of January 21 to the 27th to bringing awareness to consumers and organizations, highlighting the importance of keeping data safe. With millions of people being affected by data breaches just in the healthcare industry alone, it is imperative for people to become aware of just how cyber breaches can impact many on both an individual and organizational level.
In Rodriguez v. Mena Hosp. Comm’n, there was a breach in 2021 at Mena Hospital Commission, an Arkansas regional medical service provider, that resulted in attackers accessing patient data. The breach that the hospital faced resulted in a compromise of personally identifiable information (“PII”) from approximately 88,000 patients. The plaintiffs in this case alleged that the regional health system was negligent in protecting patients’ data, and the court agreed that there was a duty for the health system to act in a reasonably prudent manner to protect patients’ PII. Even though the hackers retrieved patient’s’ names, addresses, emails, dates of birth, phone numbers, and Social Security numbers, this is not even the worst-case scenario. In August of 2023, Manchester Memorial Hospital, a Connecticut hospital, and 16 other hospitals and over 165 clinics and outpatient centers were hit with the same ransomware attack. As reported, this forced the hospitals, clinics, and outpatient centers to revert to pen and paper. Since their electronic health records were inaccessible, medical personnel had to keep track of the patients’ information manually, including the documentation of background history and the dosages of medicine prescribed; this was only achieved by writing it down rather than entering the very same information electronically. As noted by Stat News, Manchester Memorial Hospital had to work this way for nearly six weeks until its systems were back online again. Sadly, reverting to pen and paper because of a ransomware attack is not uncommon. In 2022, Brooklyn hospitals had to also revert to pen and paper to treat their patients following a cyberattack as indicated by CBS News. This issue is not restricted to one area in particular. In fact, similarly reported cyber incidents have affected Buffalo hospitals, Florida hospitals, and many more.
Hospitals are not the only healthcare providers that are targeted by cyber criminals. Attackers will even target small providers, such as physician groups, due to their vulnerability. According to Critical Insight, physician groups accounted for 12 percent of the total number of healthcare cyberattacks in 2022 alone. Despite the plentiful options for preventative measures, many organizations still leave themselves defenseless to cyberattacks. Promoting education about mechanisms to reduce cyber exposure is key to protecting against and preventing these attacks altogether. As Data Privacy Week highlights, taking preventative measures and having security measures in place in case of an attack can make an immeasurable difference.
Data Privacy Week is centered around informing the public about cyber safeguards and demonstrating how a data breach can occur in the first place. Educating employees about how to identify emails that look real but are generated by hackers is just one way to reduce cyber-attack exposure. These emails, commonly known as phishing emails, may encourage an individual to download malware onto one’s computer. According to Astra, 88 percent of healthcare workers open phishing emails. This can be attributed in part to the lack of education that healthcare providers receive about this very cyber exposure. In fact, 24 percent of healthcare workers have not received any cyber awareness training focused on phishing scams. Along with phishing attacks, the use of ransomware is another very common way that data is breached in the healthcare community. Roughly 74 percent of ransomware attacks were aimed at hospitals. In addition, 26 percent of other healthcare organizations, such as dental practices and nursing homes, were targeted for ransomware attacks.
Cyber insurance is a risk-management tool that can help healthcare organizations and other industries. With less than half of hospitals in the United States carrying cyber insurance, many organizations are losing millions to hackers even though there are ways to prevent it. When exploring cyber insurance, organizations should examine how cyber policies address the costs of ransomware, breach response costs, and the full limits available under the policy for business interruption costs. Essentially, it’s about having discussions about what’s involved in getting your organization back up and running. Data Privacy Week brings attention to the fact that if healthcare organizations and other industries implement protective measures and obtain cyber insurance, they will be in a stronger position and be better prepared to protect the confidentiality of their patients and consumers.
By: Camee Hughes, In-House Legal Extern for Synapse Partners LLC
Synapse Services offers cyber insurance coverage options for an expansive number of industries. Please contact one of our producers if you are interested in receiving additional information about the availability of cyber insurance options specifically tailored to your industry.