January 16, 2023 By Jonathan Reed 4 min read

Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident.

Unfortunately, the situation seems to be growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And during the first half of 2022, the number of data breaches impacting 500 or more records reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) numbered 337.

Meanwhile, IBM’s 2022 Cost of a Data Breach report showed that the average cost of a healthcare data breach reached $10.1 million per incident. This was a 9.4% increase from the prior year.

It’s clear healthcare is under attack, and an important part of the risk comes from third-party vendors.

Where are healthcare data breaches occurring?

According to an analysis by Fortified Health Security, OCR data reveals that healthcare providers accounted for 72% of healthcare data breaches in the first half of 2022. Meanwhile, business associates accounted for 16%, and health plans for 12% of breaches. Overall, over 19 million records were implicated in healthcare data breaches during the first six months of 2022.

Perhaps even more disturbing is how a handful of entities are responsible for huge swaths of lost data. According to the Fortified report, seven entities experienced breaches of more than 490,000 records each (6.2 million records total). The affected entities include:

  • A Florida hospital (1.35 million records lost)
  • An imaging provider (2 million records lost)
  • A California health plan (854,000 records lost)
  • A business services provider (500,000 records lost)
  • A billing company (510,000 records lost).

Further incident analysis, according to Fortified, shows that:

  • Hacking/IT incidents accounted for 80% of incidents
  • Unauthorized access/disclosure accounted for 15% of breaches
  • Loss, theft or improper disposal accounted for 5% of breaches.

Major third-party breach from mailing and printing vendor

In June 2022, a data breach was discovered involving the third-party mailing and printing vendor OneTouchPoint (OTP). A notice on OTP’s website explained that the company detected encrypted files on certain computer systems in April 2022. The subsequent OTP investigation determined that an unauthorized party accessed certain servers starting on April 27. OTP began notifying their customers of the incident on June 3.

The list of affected healthcare entities impacted by the OTP breach includes Geisinger, Kaiser Permanente and 35 other healthcare brands. Among the affected companies were major medical networks and health insurance providers. The exfiltrated files in the breach contained patient names, member IDs and information provided during a health assessment.

This incident highlights an increasingly important reality facing security teams today. That is, your security is only as good as your partner’s security.

Read the CODB Report  

Third-party EMR provider breach

Here’s another third-party incident that involved millions of individual records. Eye Care Leaders (ECL), an ophthalmology-specific electronic medical record (EMR) solution, was a victim of unauthorized system access in December 2021. ECL began notifying impacted organizations of the incident in March 2022. Since then, more than two dozen organizations have submitted individual breach reports to OCR.

No one knows the full extent of the damage from the ECL breach. But based on one report, the incident impacted at least 2 million individuals from a variety of organizations.

Texas Tech University Health Sciences Center (TTUHSC) alone accounted for nearly 1.3 million impacted individuals. TTUHSC said that ECL’s compromised databases may have contained extensive personal patient data. The stolen information included patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers, health insurance information, appointment information, medical record numbers, Social Security numbers and other medical information.

ECL is now facing multiple lawsuits over its handling of the breach. Plaintiffs alleged a lack of transparency, reputational harm and business disruptions.

Third-party risk conundrum

These incidents show us how difficult it is for organizations to protect their data assets these days. Consider that the average organization uses 110 Software-as-aService apps. And each of these SaaS vendors can have hundreds, if not thousands, of clients. In a supply chain software attack, malicious code is injected into an application, and the infection spreads to all users.

Third-party cybersecurity risks are both common and highly damaging. As per a CrowdStrike report, 45% of organizations surveyed said they experienced at least one software supply chain attack in 2021. And the same report states that supply chain attacks are increasing by an eye-popping 430%.

In another recent survey of cybersecurity workers, 64% of respondents said they could not stop an attack from a compromised software supplier. At the same time, 71% of organizations were victims of software supply chain attacks, resulting in data loss or asset compromise.

How to mitigate third-party risk

What can be done to minimize third-party risk? For starters, it’s important to understand your company’s relationship with your third-party vendors. Vetting third-party security posture is imperative. Ask them what policies and security measures they deploy to protect themselves and their clients. Security agreements should also be provided in writing and included in vendor contract language. It’s also important to implement a system that continually assesses and monitors third-party risks.

From within your company, you can also improve third-party security through approaches such as zero trust. Every enterprise gives multiple users, apps and devices access to IT assets. And despite the different goals and needs of these employees, partners, clients and customers, they all require some level of access to corporate information. The number of connections and resources that need to be managed makes user verification complex.

A zero trust security strategy enables organizations to increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to the appropriate resources. It’s a model that uses context and machine learning to establish secure connections while also protecting an organization from cyber threats.

Cyber threats that target healthcare aren’t going away soon. But informed third-party relationships and stronger internal measures can provide healthier security for all.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today