January 16, 2023 By Jonathan Reed 4 min read

Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident.

Unfortunately, the situation seems to be growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And during the first half of 2022, the number of data breaches impacting 500 or more records reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) numbered 337.

Meanwhile, IBM’s 2022 Cost of a Data Breach report showed that the average cost of a healthcare data breach reached $10.1 million per incident. This was a 9.4% increase from the prior year.

It’s clear healthcare is under attack, and an important part of the risk comes from third-party vendors.

Where are healthcare data breaches occurring?

According to an analysis by Fortified Health Security, OCR data reveals that healthcare providers accounted for 72% of healthcare data breaches in the first half of 2022. Meanwhile, business associates accounted for 16%, and health plans for 12% of breaches. Overall, over 19 million records were implicated in healthcare data breaches during the first six months of 2022.

Perhaps even more disturbing is how a handful of entities are responsible for huge swaths of lost data. According to the Fortified report, seven entities experienced breaches of more than 490,000 records each (6.2 million records total). The affected entities include:

  • A Florida hospital (1.35 million records lost)
  • An imaging provider (2 million records lost)
  • A California health plan (854,000 records lost)
  • A business services provider (500,000 records lost)
  • A billing company (510,000 records lost).

Further incident analysis, according to Fortified, shows that:

  • Hacking/IT incidents accounted for 80% of incidents
  • Unauthorized access/disclosure accounted for 15% of breaches
  • Loss, theft or improper disposal accounted for 5% of breaches.

Major third-party breach from mailing and printing vendor

In June 2022, a data breach was discovered involving the third-party mailing and printing vendor OneTouchPoint (OTP). A notice on OTP’s website explained that the company detected encrypted files on certain computer systems in April 2022. The subsequent OTP investigation determined that an unauthorized party accessed certain servers starting on April 27. OTP began notifying their customers of the incident on June 3.

The list of affected healthcare entities impacted by the OTP breach includes Geisinger, Kaiser Permanente and 35 other healthcare brands. Among the affected companies were major medical networks and health insurance providers. The exfiltrated files in the breach contained patient names, member IDs and information provided during a health assessment.

This incident highlights an increasingly important reality facing security teams today. That is, your security is only as good as your partner’s security.

Read the CODB Report  

Third-party EMR provider breach

Here’s another third-party incident that involved millions of individual records. Eye Care Leaders (ECL), an ophthalmology-specific electronic medical record (EMR) solution, was a victim of unauthorized system access in December 2021. ECL began notifying impacted organizations of the incident in March 2022. Since then, more than two dozen organizations have submitted individual breach reports to OCR.

No one knows the full extent of the damage from the ECL breach. But based on one report, the incident impacted at least 2 million individuals from a variety of organizations.

Texas Tech University Health Sciences Center (TTUHSC) alone accounted for nearly 1.3 million impacted individuals. TTUHSC said that ECL’s compromised databases may have contained extensive personal patient data. The stolen information included patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers, health insurance information, appointment information, medical record numbers, Social Security numbers and other medical information.

ECL is now facing multiple lawsuits over its handling of the breach. Plaintiffs alleged a lack of transparency, reputational harm and business disruptions.

Third-party risk conundrum

These incidents show us how difficult it is for organizations to protect their data assets these days. Consider that the average organization uses 110 Software-as-aService apps. And each of these SaaS vendors can have hundreds, if not thousands, of clients. In a supply chain software attack, malicious code is injected into an application, and the infection spreads to all users.

Third-party cybersecurity risks are both common and highly damaging. As per a CrowdStrike report, 45% of organizations surveyed said they experienced at least one software supply chain attack in 2021. And the same report states that supply chain attacks are increasing by an eye-popping 430%.

In another recent survey of cybersecurity workers, 64% of respondents said they could not stop an attack from a compromised software supplier. At the same time, 71% of organizations were victims of software supply chain attacks, resulting in data loss or asset compromise.

How to mitigate third-party risk

What can be done to minimize third-party risk? For starters, it’s important to understand your company’s relationship with your third-party vendors. Vetting third-party security posture is imperative. Ask them what policies and security measures they deploy to protect themselves and their clients. Security agreements should also be provided in writing and included in vendor contract language. It’s also important to implement a system that continually assesses and monitors third-party risks.

From within your company, you can also improve third-party security through approaches such as zero trust. Every enterprise gives multiple users, apps and devices access to IT assets. And despite the different goals and needs of these employees, partners, clients and customers, they all require some level of access to corporate information. The number of connections and resources that need to be managed makes user verification complex.

A zero trust security strategy enables organizations to increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to the appropriate resources. It’s a model that uses context and machine learning to establish secure connections while also protecting an organization from cyber threats.

Cyber threats that target healthcare aren’t going away soon. But informed third-party relationships and stronger internal measures can provide healthier security for all.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today