Skip to content

The Alarming Surge in Healthcare Data Breaches: What You Need to Know


Healthcare data breaches are on the rise, and it's crucial to stay informed about the latest incidents and statistics. According to the US Department of Health and Human Services Office for Civil Rights, there have been 438 breaches of unsecured protected health information since the beginning of 2023, involving healthcare organizations across the United States. The U.S. Department of Health and Human Services requires organizations to report any health breach affecting at least 500 Americans. Let's take a closer look at a few recent healthcare data breaches and their impact.

Healthcare Data Breach Statistics

The healthcare sector continues to face the unenviable distinction of having the highest data breach costs among all industries, maintaining this undesirable status for the 13th consecutive year. However, this is a recognition no one in the industry desires.

Since the tumultuous year of 2020, the average cost of healthcare data breaches has witnessed an astonishing ascent of 53.3%. To put it in perspective, the figures have soared from USD 7.13 million in 2020 to nearly USD 11 million today. These figures are undeniably significant.

What Drives These Elevated Costs? 

Abundance of Regulations: The healthcare sector grapples with an intricate web of industry regulations and holds the esteemed status of critical infrastructure according to the U.S. government. Navigating this regulatory landscape is akin to maneuvering through a labyrinth of red tape.

Impact of the Pandemic: The presence of COVID-19 has further exacerbated the situation, propelling data breach costs to unprecedented levels.

How Are These Breaches Typically Detected?

It is noteworthy that merely one-third of breaches were identified by an organization's internal security teams. Alarmingly, the remaining two-thirds went unnoticed within the organization, often discovered by external parties, including third-party entities or even the perpetrators themselves. This detection scenario resembles an unintentional game of hide-and-seek, introducing an element of unpredictability.

The Far-Reaching Consequences 

Financial repercussions are not limited to companies alone. A substantial 57% of organizations opted to increase their service and product prices following a data breach. Consequently, consumers bore the brunt of these decisions, creating a somewhat undesirable chain reaction.

Why Healthcare Data? 

Unfortunately, attackers target healthcare data because it contains highly valuable personal and medical information, making it a lucrative asset on the black market. This data is used for identity theft, medical fraud, and ransom attacks, among other criminal activities. The healthcare sector's historically weaker cybersecurity and the long-term value of healthcare data make it an attractive target for cybercriminals.

Recent Healthcare Data Breaches

1. PharMerica and BrightSpring Health Services, Inc.

On March 14, 2023, PharMerica and its parent company, BrightSpring Health Services, Inc., discovered suspicious activity on their computer network. An internal investigation revealed that an unknown third party had accessed their systems from March 12-13, 2023. Personal information, including names, dates of birth, Social Security numbers, medication lists, and health insurance information, may have been exposed. While no cases of fraud or identity theft have been reported, PharMerica is taking steps to notify potentially affected individuals and provide identity protection services.

2. Cerebral, Inc.

Cerebral, Inc. recently addressed an issue related to inadvertent information sharing. The company had been using "pixels" and other tracking technologies from third-party platforms on its platforms. In January 2023, Cerebral discovered that it had disclosed certain information that may be regulated as protected health information (PHI) under HIPAA to certain third-party platforms and subcontractors without obtaining required assurances. The disclosed information included names, phone numbers, email addresses, date of birth, and more. Cerebral promptly disabled, reconfigured, and removed tracking technologies and enhanced its information security practices to prevent future disclosures.

3. NationsBenefits

NationsBenefits, a technology company based in Florida, confirmed that over 7,100 residents of New Hampshire had their personal information stolen in a late-January ransomware attack on Fortra's systems. NationsBenefits provides supplemental benefits for health insurance members. The attack targeted personal information stored in its Fortra-hosted instance of GoAnywhere, a file-transfer software tool. While it's unclear how many individuals outside of New Hampshire were affected, NationsBenefits has more than 20 million members nationwide. The company is working to comply with legal obligations and address the incident.

4. HCA Healthcare

HCA Healthcare, a major hospital and clinic operator, recently experienced a significant data breach, potentially affecting over 11 million patients across 20 U.S. states. The breach, discovered on July 5th, ranks among the largest healthcare data breaches in history. The accessed data includes patient names, partial addresses, contact details, appointment dates, and more. HCA believes the breach occurred through an external storage location used for email formatting, which has since been disabled. They are taking immediate containment measures, and affected patients will be notified and offered support, credit monitoring, and identity protection services as necessary. This incident highlights the ongoing challenge of healthcare data security.

5. Cigna

Cigna, one of the largest health insurance companies in the US, experienced a security incident involving the exposure of provider data. While the exposed database did not contain customer or patient data, it did include information related to health insurance negotiated rates, such as provider names, locations, and rates. Although this information is intended to be public under federal law, the database was accessible without password protection, potentially exposing it to security risks.

6. Johnson & Johnson

Johnson & Johnson Health Care Systems, has experienced a third-party data breach involving their service provider. IBM, a service provider to Johnson & Johnson Health Care Systems, reported an incident involving unauthorized access to a database used on the Janssen CarePath platform. Janssen, upon discovering the breach method, promptly informed IBM, which fixed the security gap and initiated an internal investigation. The investigation, concluded on August 2, 2023, found that unauthorized users accessed user details, including names, contact information, date of birth, health insurance information, medication information, and medical condition information. 

These breaches underscore the escalating risks to healthcare data security. Given the attractiveness of healthcare data to attackers, organizations must maintain a constant state of vigilance and enforce strong cybersecurity measures to safeguard sensitive patient information. As the healthcare sector confronts these challenges, individuals can also play a part in fortifying their data defenses by regularly monitoring credit reports, fine-tuning privacy settings, and adhering to prudent password practices.