Why healthcare cybersecurity spending will exceed $65B over the next 5 years

Healthcare has been at or near the top of the list for industries at greatest risk of cyber intrusions over the past two years. And CIOs and CISOs at healthcare organizations are shelling out a lot of money to cyber defend themselves. Cybersecurity Ventures predicts global healthcare cybersecurity spending will exceed $65 billion cumulatively over the next five years, from 2017 to 2021.

As the healthcare space continues digitizing all of its information, it continues to attract more attention from cyber criminals.

For anyone who needs some convincing on the magnitude of the problem the healthcare industry faces, consider this partial list of hacks, breaches and related activity that occurred in 2017.

2017 dateline of healthcare cyber crime

Dec. 29 — SSM Health in St. Louis reported medical records of 29,000 patients are at risk after they were inappropriately accessed by an employee in its customer service call center. It said that although the former employee accessed patient information from multiple states, the focus of his illegal activities was on the medical records of a small number of patients who had a controlled substance prescription and a primary care physician within the St. Louis area.

Dec. 13 — 21st Century Oncology of Fort Myers, Florida, agreed to pay a $2.3 million fine to the U.S. Department of Health and Human Services to settle a case stemming from a data breach in 2015 that affected more than 2.2 million patient records.

Dec. 8 — UNC Dermatology, a practice of physicians at the University of North Carolina, began notifying 24,000 patients their personal information is at risk after a computer was stolen from the UNC Dermatology & Skin Cancer Center in Burlington, North Carolina.

Dec. 7 — Sinai Health System in Chicago announced personal information of 11,350 people is at risk after the email accounts of at least two employees were compromised in a phishing attack.

Dec. 6 — Henry Ford Health in Michigan announced it is notifying 18,478 patients their personal health information was accessed or stolen when the email accounts of a number of employees were compromised. It said the patients’ data was in emails in the compromised accounts.

Dec. 5 — CCRM Minneapolis, a fertility clinic located in Edina, Minnesota, warned some 3,300 patients their healthcare information is at risk after an unauthorized third party launched a ransomware attack on the clinic’s systems.

Nov. 29 — Multi-State billing Services, a medical billing company, agreed to pay the state of Massachusetts $100,000 and to improve security practices over a data breach in which 2,600 Bay State school children were put at risk of identity theft and fraud.

Nov. 24 — North Carolina Department of Health and Human Services notified some 6,000 people their personal identifying information is at risk after the agency accidentally sent a spreadsheet containing the data to a vendor.

Nov. 22 — Cottage Health Systems and its affiliated hospitals in California agreed to a $2 million settlement with the Golden State in a case involving allegations that the provider failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement follows two data breach incidents by Cottage Health in which the medical information of more than 50,000 patients was exposed online.

Oct. 31 — Health insurer CareFirst petitioned the U.S. Supreme Court to overturn a lower court ruling that allowed a class-action lawsuit over a data breach to proceed although no actual harm to members of the class was shown. If the Court agrees to decide the case, it could clear up conflicting decisions by lower courts over when a data breach lawsuit should be allowed to proceed in court.

Oct 23 — A hacker group that calls itself The Dark Overlord breached systems at London Bridge Plastic Surgery in the U.K. and stole an undisclosed amount of data. The clinic is known for its celebrity clients, including some members of Britain’s royal family.

Oct. 19 — A class-action lawsuit was filed against home respiratory care and medical equipment provider Lincare Holdings of Clearwater, Florida, by employees who allege they were harmed by a data breach that exposed their tax information to online thieves.

Oct. 16 — Beazley, a specialist insurer, reported that during the first nine months of 2017, an unintended disclosure accounted for 41 percent of data breach incidents reported to the company by healthcare organizations. That’s more than twice the second-most frequent cause for data loss, hacking or malware (19 percent).

Oct. 10 — Kromtech Security reported an Amazon S3 repository belonging to Patient Home Monitoring exposed to the public internet blood test results of an estimated 150,000 people. PHM offers a variety of monitoring services to manage respiratory diseases and sleep apnea, as well as blood testing for patients on anticoagulants.

Sept. 29 — Vermont Attorney General T. J. Donovan announced SAManage USA, which provides support services for Vermont Health Connect, will pay a $264,000 fine for a data breach affecting 660 VHC users.

Aug. 30 — Mid-Michigan Physicians Imaging Center notified more than 106,000 patients that their personal health information is at risk due to a data breach at third-party service provider McLaren Medical Group.

Aug. 30 — Silver Cross Hospital in Lenox, Illinois, revealed a data breach at a third-party service provider exposed health information for up to 9,000 patients.

Aug. 28 — Legal Action Center filed a lawsuit against Aetna accusing the insurer of breaching the privacy rights of 12,000 customers in 23 states by allowing the words “filling prescriptions for HIV” to be seen in window envelopes sent to the clients. The lawsuit seeks unspecified damages, a change in Aetna’s mailing practices, and legal fees and costs.

Aug. 25 — U.S. District Court Judge Lucy Koh gave preliminary approval of a $115 million settlement of litigation against healthcare insurer Anthem over a massive data breach in 2015 when intruders accessed personal identifying information and other data on some 80 million people.

Aug. 17 — San Antonio Institute for Women’s Health warned patients their personal information is at risk after it discovered a keylogger residing on its systems from June 5 to July 6.

Aug. 1 — A federal appeals court ruled customers of CareFirst can sue the health insurer over a 2014 data breach of its systems. An appeals court reversed the decision of lower court that had dismissed the lawsuit. 

July 18 — Women’s Health Care Group PA in Philadelphia revealed that one of its servers and a workstation were subjected to a ransomware attack affecting 300,000 people. The group was able to continue normal operations by restoring affected data from backups.

July 13 — The international healthcare group Bupta revealed personal identifying information for 547,000 customers was compromised when an employee copied and removed the data from the company’s systems. It noted no financial or medical data was stolen.

July 12 — University of Iowa Health Care warned 5,300 patients some of their healthcare information is at risk after it was posted for two years to an unsecure application developer’s website. It noted that the information did not include clinical information such as diagnoses, Social Security numbers, or financial information such as credit card numbers.

July 6 — UC Davis Health in California notified some 15,000 patients their personal information is at risk after an employee was duped by a phishing scam.

July 5 — Airway Oxygen, a healthcare provider in Wyoming, Michigan, reported a ransomware attack affecting 500,000 people. It said there is no indication that any protected health information was accessed or acquired during the attack.

July 3 — The Guardian reported that Medicare patient details of any Australian is being sold on the Dark Net for $30 per individual. It noted the data seller says requests for information can be fulfilled by exploiting a vulnerability in the government’s systems.

June 23 — Airway Oxygen in Michigan notified 500,000 people their personal health information is at risk due to unauthorized access to its infrastructure in April.

June 23 — Southern Illinois Healthcare reported that personal information of more than 600 patients is at risk after Experian Health, a third-party vendor, accidentally sent their data to the wrong medical facilities between Feb. 13 and March 13.

June 21 — Atlantic Digestive Specialists notified 94,195 customers their personal information is at risk after a ransomware attack on the systems of the group, comprised of gastroenterologists, with offices in Somersworth, Hampton and Portsmouth, New Hampshire.

June 19 — Torrance Memorial Medical Center in California notified an undisclosed number of patients their personal information was compromised in a phishing attack on some of the hospital’s email accounts.

June 15 — New York Attorney General Eric T. Schneiderman announced CoPilot Provider Support Services, a provider of support services to the healthcare industry, agreed to pay $130,000 in penalties for waiting over a year to notify affected persons of a data breach that exposed 221,178 patient records.

June 9 — Mississippi’s Division of Medicaid notified 5,220 people their personal health information is at risk due to the insecure transfer of the data from an online form to a designated staff member.

June 5 — Victory Medical Center in Austin, Texas, said demographic data of some 2,000 patients was leaked online after a data breach of its systems.

June 1 — Dr. Zain Kadri’s plastic surgery clinic announced personal information of as many as 15,000 patients, including some celebrities, was stolen by a disgruntled employee who has posted some of the information on Snapchat, Instagram and Facebook.

May 31 — A hacking group called Tsar Team leaked thousands of patient photos from the Grozio Chirurgija cosmetic surgery clinic in Lithuania after the clinic and patients refused to meet the group’s ransom demands.

May 26 — Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, shut down its online patient portal after a vulnerability was discovered that exposed health records of 4.8 million customers in 12 states to the public internet.

May 25 — UW Health in Wisconsin notified 2,046 patients that their personal information is at risk after an employee’s email account, which contained files with patient information in them, was compromised by an intruder.

May 23 — St. Luke’s-Roosevelt Hospital Center in New York City agreed to pay the U.S. Department of Health and Human services $387,200 to settle potential violations of the Federal Health Insurance Portability and Accountability Act.

May 16 — Crain’s New York Business reported protected health information of 3,500 patients at Coney Island NYC Health + Hospitals is at risk after it was accessed by a volunteer in the phlebotomy department who did not have clearance to do so.

May 12 — WannaCry, a ransomware program based on software stolen from the NSA, infected thousands of computers in more than 100 countries, forced the U.K.’s healthcare system to turn away patients, and disabled computers in Russia’s Interior Ministry.

May 5 — The Ontario government confirmed personal information of thousands of citizens is at risk due to a printing mistake on healthcare renewal forms mailed to residents of the province.

May 3 — Bitglass released its annual healthcare data breach report, which shows a year-over-year increase in breaches – from 268 in 2015 to 328 in 2016.

April 26 — Accenture released a survey that included a finding that one in eight U.K. consumers have had their personal medical information stolen from technology systems.

April 25 — Behavioral Health Center in Bangor, Maine, said more than 4,000 clients had their personal information stolen in a data breach in March.

April 24 — CardioNet, a mobile heart monitoring technology company based in Malvern, Pennsylvania, agreed to pay $2.5 million to the U.S. Department of Health and Human Services to settle case arising from the theft of a laptop containing unencrypted patient data.

April 24 — Western Health Screening, an onsite blood screening provider in Billings, Montana, alerted an undisclosed number of people who participated a health fair from 2008 and 2012 that their demographic data is at risk due to the theft of an unencrypted flash drive.

April 22 — Lifespan, Rhode Island’s largest health care network, notified some 20,000 patients their health information is at risk after a laptop containing it was stolen from an employee’s car.

April 20 — University of California revealed a group of fraudsters bilked the school of $12 million by writing prescriptions using information scammed from students lured to phony clinical trials through Facebook ads.

April 20 — Center for Children’s Digestive Health in Illinois agreed to pay $31,000 to the U.S. Department of Health and Human Services for storing protected health information with a third-party service provider without a Business Associate Agreement.

April 13 — Protenus reported that in March there were 39 healthcare data breaches that affected more than 1.5 million patient records, more than the two previous months combined.

April 13 — The Metro Community Provider Network in Denver agreed to pay $400,000 to settle a case against it by the U.S. Department of Health and Human Services Office for Civil Rights stemming from a data breach at the organization in 2011.

April 7 — Personal health information of 918,000 people is at risk after a backup database belonging to HealthNow Networks, a Florida telemarketer, was posted without access controls to the internet.

April 3 — The online edition of JAMA Internal Medicine published a study finding that larger hospitals and those with a major teaching mission are more likely to suffer a data breach than smaller hospitals without a teaching mission.

March 22 — Urology Austin in Texas announced a ransomware attack on its computer network potentially exposed patient information for 279,663 people.

March 7 — Brand New Day, a Medicare-approved health plan in California, notified 14,005 patients their electronic personal health information is at risk from a data breach at a third-party provider.

March 3 — Emory Healthcare in Atlanta reported a database containing appointment information for about 80,000 patients was deleted by an intruder who demanded a ransom to restore it.

Feb. 22 — Meridian Health Services of Indiana announced W-2 tax information of some 1,200 current and former employees has been compromised by a phishing scam.

Feb. 21 — The Louisiana Department of Insurance said personal information is at risk of an estimated 8,000 former members of the failed Louisiana Health Cooperative after a data breach at the co-op’s reinsurance broker.

Feb. 20 — Accenture released a survey that found more than one in four (26 percent) Americans have had their personal medical information stolen from a technology system and that half those victims suffered medical identity theft, which cost them on average $2,500 in out-of-pocket expenses.

Feb. 20 — A nursing home chain American Senior Communities in Indiana said W-2 tax information of more than 17,000 employees was compromised in a phishing scam.

Feb. 17 — Memorial Health Care systems, an operator of six hospitals in South Florida, agreed to pay the U.S. Department of Health and Human Services $5.5 million to settle case involving the theft of patient information by two employees.

Feb. 16 — Memorial Health Care System in Florida paid $5.5 million to settle potential violations of federal privacy and security rules after reporting the personal health information of 115,143 people was impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff.

Feb. 15 — Horizon Healthcare Services of New Jersey agreed to pay the state $1.1 million to settle a case involving the theft of two laptops that allegedly compromised the personal information of 690,000 policyholders.

Feb. 1 — The U.S. Department of Health and Human Services announced Children’s Medical Center of Dallas agreed to pay $3.2 million civil money penalty for impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with federal security standards.

Jan. 20 — Ohio State Veterinary Medical Center in Dublin, Ohio, alerted 4,611 clients that their personal data is at risk due to a data breach caused by malware infection.

Jan. 18 — CoPilot Provider Support Services, a healthcare provider in Hyde Park, New York, announced personal information of some 220,000 people is at risk after one of its databases was accessed by an unauthorized third party.

Jan. 17 — Sentara, a healthcare provider servicing Virginia and North Carolina, said personal information of 5,454 patients is at risk due to data breach at a third-party vendor.

Jan. 17 — Children’s Hospital of Los Angeles warned 3,600 patients their personal data is at risk due to theft of an unencrypted laptop in October.

Jan. 13 — Protenus reported fewer patient records were stolen in healthcare data breaches in 2016 (27.3 million) than 2015 (113 million), but there were more data breaches in 2016 (450) compared to 2015 (253).

Jan. 13 — The Delaware Department of Insurance announced the personal information of 19,000 members of Highmark Blue Cross Blue Shield of Delaware is at risk following a data breach at two of the healthcare provider’s subcontractors.

Jan. 13 — Three Pennsylvania Superior Court judges uphold lower court ruling that healthcare provider UPMC, which suffered a data breach in which personal information of 62,000 employees was stolen, is not under any obligation to keep its employees data safe.

Jan. 9 — Presence Health in Illinois agreed to pay $475,000 to settle a case with the U.S. Department of Health and Human Services over the untimely reporting of a breach of protected health information.

Jan. 6 — California Department of Insurance found a data breach that compromised 78.8 million consumer records at health insurer Anthem was performed on behalf of a foreign government.

Unfortunately, this list barely scratches the surface. But it does help explain the uptick in healthcare cybersecurity spending. For anyone still not convinced, they should read the 2017 Healthcare Cybersecurity Report.

To see more detail on the datelines above, along with hyperlinks to the sources, go to the Breach Diary (updated quarterly).

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.