The healthcare industry has become a prime target for cyberattacks, with breaches in healthcare systems occurring in increasing numbers. As hospitals and medical providers increasingly rely on cloud-based platforms to store and manage patient information, the risk of cyber attacks also increases. Cyberattacks are always damaging, but the consequences of cyberattacks on healthcare organizations are especially high as Patient Personally Identifiable Information (PII) contains some of the most sensitive health data, along with financial information. A breach can lead to not only severe regulatory violations, but also long term legal and financial consequences for healthcare providers. In this blog, we will examine some of the largest healthcare breaches and their impact.

Ransomware: Change Healthcare

BlackCat Detections in Cado Response

Data Affected: Patient healthcare data, PII, healthcare records, financial information, insurance claims

Subjects Affected: 100 million

Threat Group: ALPHV/BlackCat

Ransom: $22 million

Potential Legal Impact: HIPAA violations, class action lawsuits, SEC investigation

In February 2024, Change Healthcare was hit in a ransomware attack, leading to one of the largest medical breaches. Change Healthcare is a major provider of healthcare administrative and technology solutions, and is owned by UnitedHealth Group. This breach is projected to have affected one-third of the U.S. population, making it a major event in the healthcare industry.

The first effect of the breach was widespread outages of insurance billing systems across the U.S, that lasted into the following month. Following the outages, the company announced that they had been contacted by ransomware gang ALPHV/BlackCat. ALPHV/BlackCat are a ransomware gang that operate as a Ransomware-as-a-Service (RaaS), formed in 2021. While the U.S government performed a takedown of the group’s websites, the members are still active. After paying the initial ransom, a second affiliated ransomware group claimed to be in possession of the stolen data, posting snippets online and demanding a second ransom, in a double extortion attempt. However it is currently unknown if this ransom was paid.  

While the full details of the breach are currently unknown, the company has admitted in testimony that the group gained access using compromised credentials to a cloud account that did not have Multi Factor Authentication (MFA) enabled. After the initial access, the group were able to move laterally through the environment and exfiltrate data to later use for ransom. 

Cloud Misconfiguration: Exposed Bucket

Data Affected: PII, Passports, Medical Tests

Subjects Affected: 2 million subjects

Potential Legal Impact: GDPR fine, civil lawsuits

In August 2022, an unsecured AWS bucket belonging to a UK government contracted healthcare company was identified. The bucket, which contained 2 terabytes of customer PII, was left publicly accessible, potentially for months. Included in the two terabytes of data was customer’s medical tests and personal identifications, including passports and driving licenses.  

While it is currently unknown whether threat actors accessed this data, many threat actors scan for publically accessible PII to sell on underground forums. As of October 2024, no breach notification has been delivered to affected subjects, as required under GDPR regulations. 

Ransomware: Lehigh Valley Health Network

Data Affected: Sensitive health data, PII

Subjects Affected: 134,000

Threat Group: ALPHV/BlackCat

Legal Impact: Class action lawsuit

Around a similar time to the Change Healthcare breach, was the ruthless extortion of Lehigh Valley Health Network. Lehigh Valley is a healthcare company comprising hospitals and health centers. The breach, which was also attributed to ALPHV/BlackCat, saw the exfiltration of at least 134,000 patients' sensitive data. The data included pictures of exposed cancer patients that were then posted on an underground forum after Lehigh Valley refused to pay the ransom.

As a result of the breach, Lehigh Valley recently settled a class action lawsuit with victim’s for $65 million. 

Compliance 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation in the United States that primarily addresses the protection of health related data. HIPAA covers two components: the Privacy Rule and the Security Rule. These components establish comprehensive standards designed to safeguard Protected Health Information (PHI) from unauthorized access, and breaches.

HIPAA's Privacy Rule sets the foundation for how PII should be handled by covered entities, which include healthcare providers, health plans, as well as third parties. PII, in relation to HIPAA, encompasses any information that can identify an individual and is related to their health condition, treatment, or payment for healthcare services. The Privacy Rule mandates that covered entities implement policies and procedures to ensure that PII is appropriately protected while only allowing for the dissemination of health data in relation to healthcare needs.

The Security Rule of HIPAA is more relevant to cybersecurity as it outlines regulation to protect the confidentiality, integrity, and security of electronic protected health information. HIPAA regulations have provided a checklist for companies to follow in the event of an incident.  

General Data Protection Regulation (GDPR), which became effective in May 2018, is an EU set of regulations focusing on privacy laws. The regulations apply to any organization that processes the personal data of individuals residing in the EU, regardless of the organization's location. GDPR is designed to give individuals greater control over their personal data while imposing stringent requirements on how businesses collect, store, and process that data. Personal data under GDPR is defined broadly, and includes any information that can be used to directly or indirectly identify an individual, such as names, addresses, emails, and cookie data; with sensitive data including but limited to political, health, biometric and racial data.

Cybersecurity plays a critical role in GDPR compliance, as the regulation mandates that organizations must implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. These measures include encryption, pseudonymization, ensuring data availability and resilience, and having a breach notification system in place. Under GDPR, organizations are required to notify data protection authorities of a breach within 72 hours of becoming aware of it if the breach poses a risk to individual rights and freedoms, along with breach notifications to subjects affected. Failure to report a breach and provide breach notification can lead to a fine of £8.7 million or 2 percent of annual turnover. 

Key Takeaways 

Given the increasing use of cloud environments in the healthcare industry, these examples highlight the importance of adequate security to protect patient data. In addition to the leaking of sensitive information, companies also face reputational damage, lack of patient trust and large fines. It is imperative that companies storing sensitive data adhere to the regulations and guidelines outlined in frameworks like HIPAA and GDPR.  

Having an incident response plan is essential for any organization, especially those with large amounts of data, and differing environments it is stored in. The Cado Platform enables forensic data to be collected across many environments including multi-cloud, container, SaaS, serverless and on-prem. Organizations are able to conduct investigations at speed to gather immediate event insights, and contain attacks. If you want to learn more about the Cado Security platform, contact us to schedule a demo.