In 2021, the healthcare industry faced rising supply costs, higher salaries, and critical staffing shortages exacerbated by COVID-19 on top of the continued challenge of employee retention and satisfaction, patient safety, and organizational success. Although bad actors have relentlessly exploited healthcare's weak spots for years, continuous disruption made the industry an even bigger target in 2021 as breaches were up nearly 20% compared to 2020. Greater reliance on virtual care delivery and remote work exacerbated the vulnerabilities of sensitive patient data while hackers deployed more sophisticated tactics.
These are some of the key findings contained in the 2022 Protenus Breach Barometer®, a retrospective report of health data breaches that occurred in 2021. The number of reported health data breaches has risen every year since Protenus began publishing the Breach Barometer in 2016.
Download the 2022 Breach Barometer® for the latest insights on how data breaches are impacting the healthcare industry.
The latest Breach Barometer is based on 905 health data breaches reported to HHS, the media, or some other source in 2021, which represented a 19% increase from the 758 breaches reported in 2020. Data on patient impact was available for 700 of the incidents in 2021, which compromised more than 50.4 million records.
These numbers only reflect incidents that have been detected and reported, and HHS only requires reporting of breaches that affect more than 500 patients. Therefore, the full picture is likely much more serious.
Hacks climb for 6th consecutive year
Hacking incidents increased for the sixth year in a row, with the number of public reports up 44% from 2020.
Increasingly sophisticated hackers are fast outpacing the healthcare industry’s adoption of new protections. While hospitals are focusing on persistent staffing shortages, supply chain disruptions, and other impacts of COVID-19, their outdated methods for detecting improper access are creating a large blindspot. The threat is concerning enough that in late October, the HHS Office for Civil Rights advised healthcare organizations to re-evaluate the use of legacy IT systems and devices, noting their increased vulnerability to cyberattacks. Throughout 2021, 678 hacking incidents were reported, or approximately 75% of all breaches in the year. Hacking during the year affected 43,782,811 patient records in total — or 64,576 per incident, on average.
The bottom line: these hacks left more than 43 million patients vulnerable to risks like identity theft and exploitation, threatening patients’ livelihoods and right to privacy.
Healthcare organizations must heed the warnings to update their outdated legacy systems and invest in a proactive risk-reduction strategy to protect the patients they serve. Doing so lessens the possibility of financial penalties and disruptions but most importantly prevents the erosion of patient trust, a huge blow to any organization.
Insider incidents account for more than 1 in 10 breaches
With 111 new insider incidents recorded throughout the year, insiders were responsible for 12% of the total number of breaches in 2021. The number of breaches categorized as insider incidents was down from 150 in 2020, when sensitivity around COVID-19 diagnoses may have driven a spike in either insider curiosity or organizational detection of impropriety, which has since subsided.
It’s important to note that insider incidents often provide a foothold for improper access to patient data in incidents ultimately reported as hacking-related. For instance, if a healthcare worker is tricked into clicking a malicious link that enables hackers to take control of millions of records, the incident may be reported as a ransomware attack, but insider error is certainly a contributing factor. Therefore, insider behavior may have provided a foothold for many of the hacking incidents that accounted for the majority of breaches in 2021, making the overall number of insider incidents a vast under-representation of the extent to which insider behavior contributes to breaches. The vulnerabilities that insider behaviors can create should not be underestimated.
An industry wake-up call
It’s not a matter of “if” a health data breach will happen, it’s “when”. Organizations must better protect themselves and the patients they serve by using healthcare compliance analytics to surface and prioritize interactions with data that truly need attention for early identification and prevention of organization-ruining and patient-harming risks.
The breaches we reported on in the 2022 Breach Barometer only show a sliver of the true numbers. The healthcare industry is literally under attack by cyber threats, which are only increasing every year. Occasional manual audits or relying on legacy systems to achieve compliance are no match for the dangers organizations face daily. With crisis-level staffing shortages and crippling budget constraints, it’s imperative to harness the power of technology to do more than humanly possible while requiring fewer resources to protect organizations and patients.
Download the 2022 Protenus Breach Barometer® to better understand how data breaches affected healthcare during 2021.