Healthcare and cybercrime in the U.S. - statistics & facts
The healthcare industry’s repository of data and private medical information has long been a magnet for cybercriminals. For U.S. health systems, cyberattacks have been costly - often resulting in up to millions of compromised patient records per breach. The most significant healthcare breach in the United States to date resulted in the breach of 100 million data records from the Change Healthcare’s database.
The healthcare industry requires special attention because not only are financial losses at stake during such a breach, but the health of patients is severely compromised when it is impossible to carry out critical medical procedures and records can no longer be accessed.
In 2023, healthcare providers in the United States saw 809 cases of data compromises. From January to November 2024, there were 520 resolved cases of data violation involving healthcare organizations in the country. Overall, 2015 marked the year of the highest number of healthcare data breaches in the United States, with over 112 million breached health data records.
The healthcare sector frequently gets criticized for insufficient cyber-preparedness. But mission-critical systems of this sector can be equally sensitive to installing cyber-defense or patching vulnerabilities. Besides, it is important to not only focus on healthcare providers themselves but also third-party vendors, which also provide important input.
When ransomware hits
Ransomware attacks are not particularly pleasant for any organization. But for healthcare, they can be particularly destructive. As of 2024, 67 percent of healthcare organizations worldwide said they had experienced ransomware attacks in the past year, compared to 34 percent in 2021. In the United States, over 11 percent of healthcare providers reported a ransomware encounter in 2023. Overall, ransomware attacks caused nearly 19 days of downtime in the U.S. healthcare organizations, which translated to over 14 billion U.S. dollars of monetary loss.Data breaches in U.S. healthcare
The information stored by healthcare providers and related parties is called Protected Health Information (PHI) and is considered highly sensitive. Protected Health Information (PHI) is a part of Personally Identifiable Information (PII) shared with Health Insurance Portability and Accountability Act (HIPAA) entities. Examples of PHI are test results and billing records. Furthermore, ePHI refers to the Electronic Protected Health Information.In 2023, healthcare providers in the United States saw 809 cases of data compromises. From January to November 2024, there were 520 resolved cases of data violation involving healthcare organizations in the country. Overall, 2015 marked the year of the highest number of healthcare data breaches in the United States, with over 112 million breached health data records.
What are the main causes of healthcare data breaches?
Threat actors mitigate organizations’ security solutions in various ways. Hacking and other related IT security incidents remain the most common causes of data breaches in the healthcare industry in the United States. Unauthorized access or disclosure of sensitive data is the second-most common way healthcare information is leaked. Meanwhile, in the first half of 2024, information stored on network servers was the most frequently breached.Usage of Gen AI
Generative AI tools can be pivotal in terms of efficiency. Using them in healthcare would save time on certain tasks and bureaucracy. But these tools require a high level of caution, otherwise, the organization itself would put their data at risk. As of 2023, nearly half of surveyed healthcare organizations in the United States allowed usage of generative AI tools. However, only around 40 percent of them have policies regulating the usage of gen AI.The healthcare sector frequently gets criticized for insufficient cyber-preparedness. But mission-critical systems of this sector can be equally sensitive to installing cyber-defense or patching vulnerabilities. Besides, it is important to not only focus on healthcare providers themselves but also third-party vendors, which also provide important input.
