At a Glance
- The healthcare sector has experienced a significant number of major cyberattacks in 2024, including incidents at Change Healthcare, Kaiser Permanente, and Ascension, which have impacted millions of individuals and compromised vast amounts of protected health information.
- Cybercrime poses a serious threat to healthcare organizations of all sizes, as even minor data breaches can have severe consequences, such as compromising patient privacy, financial losses, and reputational damage.
- To strengthen cybersecurity, independent practices should implement robust IT security measures, provide cybersecurity training for staff, conduct regular system audits and updates, and develop an incident response plan.
The year is only halfway over, but the healthcare sector has already reported 280 cyber incidents. That’s 24% of all United States cyber events in 2024, putting healthcare ahead of every other industry. These incidents could impact millions of people and compromise vast amounts of digital records containing protected health information (PHI).
The largest healthcare cyberattacks in 2024
Out of hundreds of incidents, these have been the 3 largest cyberattacks on healthcare data security so far in 2024. Collectively, they’ve had a broad and damaging impact on businesses and consumers.
Change Healthcare
A ransomware attack on February 21, 2024, caused a shutdown of all Change Healthcare services. Hospitals, practices, pharmacies, and medical billing companies across the US experienced disruptions in e-prescribing, claims processing, verifications, reimbursement, and other transactions.
The Change Healthcare data breach could impact 1 in 3 Americans. More than 3 months after the incident, many Change Healthcare services have been partially or fully restored, but work continues on some services.
Kaiser Permanente
On April 12, 2024, the Kaiser Foundation Health Plan notified the US government of a data breach affecting 13.4 million people. Rather than a cyberattack, in this case, PHI was shared with 3rd-party entities via tracking code embedded in the insurance company’s web pages and mobile app, violating HIPAA privacy laws.
“On April 12, 2024, the Kaiser Foundation Health Plan notified the US government of a data breach affecting 13.4 million people.”
The information shared includes member names, IP addresses, sign-in and activity data, and health encyclopedia search terms. Kaiser has since removed the tracking code.
Ascension
A cyberattack on May 8, 2024 caused Ascension system outages that disrupted operations at numerous Ascension hospitals nationwide. Outages interrupted Hospital EHR access, Ascension pharmacy processing, and patient access to portals.
Ascension is working with cybersecurity experts to restore network operations safely. According to Ascension’s website, partners and vendors have started reconnecting, and patients and clinicians should “see progress across our points of care” the week of May 27.
Other notable 2024 healthcare cyberattacks
These are smaller yet still significant healthcare cyberattacks that have occurred so far this year.
Group Health Coop of South Central Wisconsin (GHC-SCW)
On January 24, 2024, an attacker attempted to encrypt the GHC-SCW computer system. Encryption was unsuccessful, but the attacker managed to copy files containing the protected personal information, including social security numbers, of 533,809 individuals.
Otolaryngology Associates
This 13-office Indiana group practice detected unauthorized network activity on February 17, 2024. The attacker sent messages threatening to expose sensitive patient information. Forensics indicate the attacker likely never accessed patient records, but a breach impacting 316,802 people can’t be ruled out.
Ernest Health
Ernest Health operates hospitals and rehabilitation facilities in 13 states. In February, the organization identified unauthorized activity that occurred from January 16 to February 4, 2024. The attackers accessed the personal and medical information of at least 101,413 individuals.
Why independent practices should be concerned
Cybercrime poses a serious threat to healthcare organizations of any size. Even a “minor” data breach can have severe consequences, while a major attack could be devastating.
The ripple effect: Large systems to small practices
As seen with Change Healthcare, large interconnected systems can deliver the fallout from an attack right to the door of smaller practices. Attacks on large entities can also expose common healthcare cybersecurity vulnerabilities, encouraging threat actors to exploit them in practices lacking large companies' protection level.
“As seen with Change Healthcare, large interconnected systems can deliver the fallout from an attack right to the door of smaller practices.”
Data breaches endanger patient privacy
Any breach of healthcare data security poses a significant risk to patient privacy. Unauthorized access to PHI can lead to identity fraud, public exposure of personal details, financial theft, and other crimes. Failure to protect patient privacy can cause patients to lose trust in your practice.
Financial and reputational impact
A data breach may lead to financial losses caused by delayed payments, expensive workarounds, legal fees, and remediation costs. Additionally, loss of patient trust can impact retention, resulting in reputational damage that discourages new business, increasing financial instability.
Learning from 2024's healthcare cybersecurity breaches
The 2024 incidents underscore the interconnected nature of the healthcare ecosystem and the critical importance of proactive cybersecurity measures. Robust security is essential to safeguard sensitive patient information and maintain operational integrity.
Common vulnerabilities and exploits used
The 2024 incidents illuminate common vulnerabilities such as weak password protocols, outdated software, insufficient encryption, and lack of staff education. Cybercriminals use hacking methods to exploit these weaknesses, including:
- Ransomware
- Malware
- Phishing
- Denial of service
The good news is that the recent cyber incidents reveal priority actions you can take to strengthen your practice’s defenses.
Strengthening healthcare cybersecurity for independent practices
Cybersecurity in healthcare requires a comprehensive strategy. Protect your practice with a robust defense that includes:
Stronger IT security
Adopt effective IT security measures, including:
- Multifactor authentication
- Firewalls
- Antivirus software
- In-transit and at-rest data encryption
- Updating software and patches
A simple but highly effective IT measure is using strong passwords that are difficult to replicate.
Cybersecurity training for staff
Create a “culture of cybersecurity awareness” by scheduling regular training sessions emphasizing best practices. Essential topics include device security, recognizing phishing attempts, and reporting suspicious activity.
Frequent system audits and regular updates
Performing regular audits helps identify security gaps and areas for improvement. Scheduling routine software updates and timely hardware maintenance keeps network equipment secure.
“Performing regular audits helps identify security gaps and areas for improvement.”
Cyber incident response plan
An incident response plan outlines clear steps to identify, contain, and recover from a cyber incident, including downtime protocols. Review the plan regularly and update it as cyber threats evolve.
Preparing is protecting when it comes to cybersecurity
Three major cyberattacks in 2024 have exposed a critical need to boost cybersecurity in healthcare. Fortunately, proactively implementing robust security measures can significantly improve your practice’s protection and help mitigate the impact of a cyberattack.
Tebra’s ONC-certified platform for independent practices supports robust data security. Learn more in a free demo today.
You Might Also Be Interested In
Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.