Redefining Privacy: Lessons Learned from over 171M Records Breached in 2023

In 2023, the U.S. healthcare industry experienced a significant 187% increase in compromised patient records, totaling over a massive 171 million patient health records accessed by various methods of inappropriate and wrongful threat actors. The breach of patient records is not just a breach of data, it is a breach of trust. It undermines the sanctity of the health system-patient relationship, which is the fulcrum of healthcare ethics. Each data breach represents a narrative of a patient whose privacy was compromised. Each digit in the 171 million-figure maps a story of a vulnerability that needs addressing.

This surge signifies the crucial area needing a big change in healthcare security, patient privacy, and compliance efforts. From the top execs to frontline staff, we need to shift our focus. In this blog post, we break down the alarming numbers reported in the 2024 Breach Barometer Report, not to dwell on the past, but to gear up for protecting patient privacy in the future.

Let's cut to the chase:

• Hackers will persist in launching large-scale attacks
• Insider threats will continue to disrupt operations covertly.
• Financial pressures on organizations will intensify due to increasing enforcement and rising fines.

The Hacker Surge

The 2024 Breach Barometer Report which provides a recap of 2023 activities paints a grim picture as hackers have been identified as the primary culprits behind the health data breaches of 2023. Healthcare organizations grapple with the sophistication of ransomware attacks that are becoming more frequent and more intricate. For Chief Information Security Officers (CISOs) and other privacy and security professionals —whose roles are becoming increasingly crucial (and challenging)—the findings are a stark reminder that vigilance and advanced privacy and security precautions are more necessary than ever.

Compounding the issue is the involvement of business associates. They accounted for a staggering 69% of the records compromised, many of which were caused by ransomware attacks (MOVEit and GoAnywhere). This striking figure suggests that breaches were not just an internal HIPAA covered entity IT concern but extended to third-party collaborations as well. The partnerships that were once strategic assets are now potential liabilities that must be managed with rigorous due diligence and continuous monitoring.

Insider Threats: A Persistent Problem

Health systems face another persistent challenge with insider threats. Unauthorized access, including Insider incidents, continue to outpace all other causes for patient record breaches reported overall, tipping the charts at 93% of incidents reported. These types of breaches often go unnoticed and can often lead to larger scale incidents, or have more direct impact on individual patients and their privacy.  Insider threats also have additional impact on the health organization, as patient trust and satisfaction may result in loss of business and reputational damage to the organization.  

Insider threats remain steady year over year and the mere existence of these events—whether due to negligence or malicious intent—highlights the need for proactive methods to identify inappropriate behavior, comprehensive employee training and stricter access controls. 

Financial Ramifications and Regulatory Landscape

The financial aftershocks of these privacy breaches resonated across the industry in unprecedented ways. The enforcement efforts and rising fines led to a cost spiral, with the average healthcare data breach soaring to $10.93 million in 2023.  HHS Office of Civil Rights as well as state regulators are intensifying enforcement, and investigative settlements and corrective actions are on the rise.   However, monetary losses are not the sole ripple effect; the reputational damage is an intangible yet potent consequence.

Organizations are urged to prioritize investment in technology that fortifies their digital ramparts but also in the education of its policy enforcers – the employees. Staff education must be expansive and ingrained in the organization's culture, reaching from the basics of safeguarding patient data to the cutting-edge defense strategies against the sophisticated cyberattacks and other inappropriate access.

Organization’s can Take a Proactive Approach with AI Technology

Dealing with a large hacking incident can feel catastrophic -- an all out attack.  Insider attacks carry the same risk, smaller in magnitude but a more frequent, everyday occurrence -- death by a thousand cuts.  Today’s privacy and security leaders must be vigilant to both ends of the spectrum, ensuring the right people have access to the right data with a strong perimeter defense and a culture of compliance internally.  Efficiencies with Artificial Intelligence (AI) technology can drive proactive outcomes on both of these fronts. Adoption of AI-driven solutions, such as Protenus Patient Privacy Monitoring, can enable healthcare organizations to more effectively identify and defend against data breaches, with the use of predictive analytics and threat assessments, to ultimately mitigate risk to the organization and its patients. 

Final Thoughts

The revelations of the 2024 Breach Barometer Report serve as a robust wake-up call for healthcare entities nationwide.  The year 2023 unveiled lessons - profound, stark, and indispensable.  And our findings bare repeating: Hackers will persist in launching large-scale attacks, while insider threats will continue to disrupt operations covertly. Additionally, financial pressures on organizations will intensify due to increasing enforcement and rising fines.

Privacy and Security stakeholders must take action, adopting processes and technologies that support their strategic plans to protect patient privacy, their organization’s financial health and reputation.