January 16, 2023 By Jonathan Reed 4 min read

Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident.

Unfortunately, the situation seems to be growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And during the first half of 2022, the number of data breaches impacting 500 or more records reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) numbered 337.

Meanwhile, IBM’s 2022 Cost of a Data Breach report showed that the average cost of a healthcare data breach reached $10.1 million per incident. This was a 9.4% increase from the prior year.

It’s clear healthcare is under attack, and an important part of the risk comes from third-party vendors.

Where are healthcare data breaches occurring?

According to an analysis by Fortified Health Security, OCR data reveals that healthcare providers accounted for 72% of healthcare data breaches in the first half of 2022. Meanwhile, business associates accounted for 16%, and health plans for 12% of breaches. Overall, over 19 million records were implicated in healthcare data breaches during the first six months of 2022.

Perhaps even more disturbing is how a handful of entities are responsible for huge swaths of lost data. According to the Fortified report, seven entities experienced breaches of more than 490,000 records each (6.2 million records total). The affected entities include:

  • A Florida hospital (1.35 million records lost)
  • An imaging provider (2 million records lost)
  • A California health plan (854,000 records lost)
  • A business services provider (500,000 records lost)
  • A billing company (510,000 records lost).

Further incident analysis, according to Fortified, shows that:

  • Hacking/IT incidents accounted for 80% of incidents
  • Unauthorized access/disclosure accounted for 15% of breaches
  • Loss, theft or improper disposal accounted for 5% of breaches.

Major third-party breach from mailing and printing vendor

In June 2022, a data breach was discovered involving the third-party mailing and printing vendor OneTouchPoint (OTP). A notice on OTP’s website explained that the company detected encrypted files on certain computer systems in April 2022. The subsequent OTP investigation determined that an unauthorized party accessed certain servers starting on April 27. OTP began notifying their customers of the incident on June 3.

The list of affected healthcare entities impacted by the OTP breach includes Geisinger, Kaiser Permanente and 35 other healthcare brands. Among the affected companies were major medical networks and health insurance providers. The exfiltrated files in the breach contained patient names, member IDs and information provided during a health assessment.

This incident highlights an increasingly important reality facing security teams today. That is, your security is only as good as your partner’s security.

Read the CODB Report  

Third-party EMR provider breach

Here’s another third-party incident that involved millions of individual records. Eye Care Leaders (ECL), an ophthalmology-specific electronic medical record (EMR) solution, was a victim of unauthorized system access in December 2021. ECL began notifying impacted organizations of the incident in March 2022. Since then, more than two dozen organizations have submitted individual breach reports to OCR.

No one knows the full extent of the damage from the ECL breach. But based on one report, the incident impacted at least 2 million individuals from a variety of organizations.

Texas Tech University Health Sciences Center (TTUHSC) alone accounted for nearly 1.3 million impacted individuals. TTUHSC said that ECL’s compromised databases may have contained extensive personal patient data. The stolen information included patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers, health insurance information, appointment information, medical record numbers, Social Security numbers and other medical information.

ECL is now facing multiple lawsuits over its handling of the breach. Plaintiffs alleged a lack of transparency, reputational harm and business disruptions.

Third-party risk conundrum

These incidents show us how difficult it is for organizations to protect their data assets these days. Consider that the average organization uses 110 Software-as-aService apps. And each of these SaaS vendors can have hundreds, if not thousands, of clients. In a supply chain software attack, malicious code is injected into an application, and the infection spreads to all users.

Third-party cybersecurity risks are both common and highly damaging. As per a CrowdStrike report, 45% of organizations surveyed said they experienced at least one software supply chain attack in 2021. And the same report states that supply chain attacks are increasing by an eye-popping 430%.

In another recent survey of cybersecurity workers, 64% of respondents said they could not stop an attack from a compromised software supplier. At the same time, 71% of organizations were victims of software supply chain attacks, resulting in data loss or asset compromise.

How to mitigate third-party risk

What can be done to minimize third-party risk? For starters, it’s important to understand your company’s relationship with your third-party vendors. Vetting third-party security posture is imperative. Ask them what policies and security measures they deploy to protect themselves and their clients. Security agreements should also be provided in writing and included in vendor contract language. It’s also important to implement a system that continually assesses and monitors third-party risks.

From within your company, you can also improve third-party security through approaches such as zero trust. Every enterprise gives multiple users, apps and devices access to IT assets. And despite the different goals and needs of these employees, partners, clients and customers, they all require some level of access to corporate information. The number of connections and resources that need to be managed makes user verification complex.

A zero trust security strategy enables organizations to increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to the appropriate resources. It’s a model that uses context and machine learning to establish secure connections while also protecting an organization from cyber threats.

Cyber threats that target healthcare aren’t going away soon. But informed third-party relationships and stronger internal measures can provide healthier security for all.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today