Critical Insight Finds 35 Percent Increase in Attacks on Health Plans in 2021 End of Year Healthcare Data Breach Report
SEATTLE, January 31, 2022 –Critical Insight, a Managed Detection and Response (MDR) service provider specializing in protecting the networks of life-saving organizations and critical infrastructure, announced today the release of the firm’s 2H 2021 Healthcare Data Breach Report, which analyzes breach data reported to the U.S. Department of Health and Human Services by healthcare organizations.
As we entered the second year of the pandemic in 2021, healthcare systems found themselves under unprecedented and unrelenting stress. Frontline healthcare workers continued to be understaffed and overworked. Hospitals were so overcrowded that they have been forced to postpone routine medical procedures until the latest surge of COVID-19 cases subsides.
Similarly, IT departments at healthcare organizations faced critical skills and staffing shortages as they battled the latest cyberattack variants. Today, those departments continue to be stretched so thin dealing with pandemic-related crises that routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
- Total Individuals Affected: 2021 hit a high of 45 million individuals affected by healthcare attacks, up from 34 million in 2020. That 45 million number is triple the number of individuals impacted only three years ago. (The number was 14 million in 2018)
- Who is Getting Breached?: Attacks against health plans jumped nearly 35% from 2020 to 2021. And attacks against business associates, or third-party vendors, increased nearly 18% from 2020 to 2021. Fortunately, attacks against Healthcare Providers (where most breaches are historically reported) declined slightly after peaking in 2020 (down ~4%).
- Most Common Breach Causes: Hacking/IT incidents continue to be the most common cause of breaches with an increase of 10% in 2021. Hacking was also responsible for the vast majority of individual records that were affected by breaches, which means those records were likely sold on the Dark Web.
- One thing we’re watching: When we look at which segments of the healthcare ecosystem had Hacking/IT Incident type breaches, we’re now seeing outpatient/specialty clinics have more Hacking/IT Incident type breaches than hospitals. Outpatient/specialty clinics saw a 41% increase in Hacking/IT Incident type breaches in 2021 compared to 2020.
“Whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care,” said John Delano, Healthcare Cybersecurity Strategist at Critical Insight and Vice President at Christus Health. “As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.”
About Critical Insight
Critical Insight delivers cyber security that’s critical to your mission. We defend your organization with a personalized blend of MDR, managed, and professional services, to assess, test, and monitor 24×7. IT teams get their day jobs back with a full staff of expertise for less than the cost of one employee. We make cyber security a path to progress, from ensuring compliance to driving customer preference. We’re committed to defending those who serve us all, so no organization has to go without an effective cyber defense. Critical Insight. We Defend. You Thrive.