Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident.

Unfortunately, the situation seems to be growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And during the first half of 2022, the number of data breaches impacting 500 or more records reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) numbered 337.

Meanwhile, IBM’s 2022 Cost of a Data Breach report showed that the average cost of a healthcare data breach reached $10.1 million per incident. This was a 9.4% increase from the prior year.

It’s clear healthcare is under attack, and an important part of the risk comes from third-party vendors.

Where are Healthcare Data Breaches Occurring?

According to an analysis by Fortified Health Security, OCR data reveals that healthcare providers accounted for 72% of healthcare data breaches in the first half of 2022. Meanwhile, business associates accounted for 16%, and health plans for 12% of breaches. Overall, over 19 million records were implicated in healthcare data breaches during the first six months of 2022.

Perhaps even more disturbing is how a handful of entities are responsible for huge swaths of lost data. According to the Fortified report, seven entities experienced breaches of more than 490,000 records each (6.2 million records total). The affected entities include:

  • A Florida hospital (1.35 million records lost)
  • An imaging provider (2 million records lost)
  • A California health plan (854,000 records lost)
  • A business services provider (500,000 records lost)
  • A billing company (510,000 records lost).

Further incident analysis, according to Fortified, shows that:

  • Hacking/IT incidents accounted for 80% of incidents
  • Unauthorized access/disclosure accounted for 15% of breaches
  • Loss, theft or improper disposal accounted for 5% of breaches.

Major Third-Party Breach from Mailing and Printing Vendor

In June 2022, a data breach was discovered involving the third-party mailing and printing vendor OneTouchPoint (OTP). A notice on OTP’s website explained that the company detected encrypted files on certain computer systems in April 2022. The subsequent OTP investigation determined that an unauthorized party accessed certain servers starting on April 27. OTP began notifying their customers of the incident on June 3.

The list of affected healthcare entities impacted by the OTP breach includes Geisinger, Kaiser Permanente and 35 other healthcare brands. Among the affected companies were major medical networks and health insurance providers. The exfiltrated files in the breach contained patient names, member IDs and information provided during a health assessment.

This incident highlights an increasingly important reality facing security teams today. That is, your security is only as good as your partner’s security.

Read the CODB Report  

Third-Party EMR Provider Breach

Here’s another third-party incident that involved millions of individual records. Eye Care Leaders (ECL), an ophthalmology-specific electronic medical record (EMR) solution, was a victim of unauthorized system access in December 2021. ECL began notifying impacted organizations of the incident in March 2022. Since then, more than two dozen organizations have submitted individual breach reports to OCR.

No one knows the full extent of the damage from the ECL breach. But based on one report, the incident impacted at least 2 million individuals from a variety of organizations.

Texas Tech University Health Sciences Center (TTUHSC) alone accounted for nearly 1.3 million impacted individuals. TTUHSC said that ECL’s compromised databases may have contained extensive personal patient data. The stolen information included patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers, health insurance information, appointment information, medical record numbers, Social Security numbers and other medical information.

ECL is now facing multiple lawsuits over its handling of the breach. Plaintiffs alleged a lack of transparency, reputational harm and business disruptions.

Third-Party Risk Conundrum

These incidents show us how difficult it is for organizations to protect their data assets these days. Consider that the average organization uses 110 Software-as-aService apps. And each of these SaaS vendors can have hundreds, if not thousands, of clients. In a supply chain software attack, malicious code is injected into an application, and the infection spreads to all users.

Third-party cybersecurity risks are both common and highly damaging. As per a CrowdStrike report, 45% of organizations surveyed said they experienced at least one software supply chain attack in 2021. And the same report states that supply chain attacks are increasing by an eye-popping 430%.

In another recent survey of cybersecurity workers, 64% of respondents said they could not stop an attack from a compromised software supplier. At the same time, 71% of organizations were victims of software supply chain attacks, resulting in data loss or asset compromise.

How to Mitigate Third-Party Risk

What can be done to minimize third-party risk? For starters, it’s important to understand your company’s relationship with your third-party vendors. Vetting third-party security posture is imperative. Ask them what policies and security measures they deploy to protect themselves and their clients. Security agreements should also be provided in writing and included in vendor contract language. It’s also important to implement a system that continually assesses and monitors third-party risks.

From within your company, you can also improve third-party security through approaches such as zero trust. Every enterprise gives multiple users, apps and devices access to IT assets. And despite the different goals and needs of these employees, partners, clients and customers, they all require some level of access to corporate information. The number of connections and resources that need to be managed makes user verification complex.

A zero trust security strategy enables organizations to increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to the appropriate resources. It’s a model that uses context and machine learning to establish secure connections while also protecting an organization from cyber threats.

Cyber threats that target healthcare aren’t going away soon. But informed third-party relationships and stronger internal measures can provide healthier security for all.

More from News

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read