The consequences of major hacks can have far-reaching implications that extend into the physical world and human lives. As headlines abound citing expansive breaches, the general population learns helplessly about their everyday vulnerability, as their data sits in the hands and systems of countless providers and retailers.
But now, the blame game is shifting. Victims of cyber exploitation are on longer satisfied throwing up their hands over an overseas hacking group who will suffer no consequences. Instead, consumers are launching class action lawsuits against those in whom they entrusted their personal data. Nowhere is this more evident as of late than in the medical world.
Enter a recent defendant, HCA Healthcare. This large health services company with hundreds of facilities across the U.S. and UK suffered a massive breach of patient data. Their SEC report details a compromise in an “external storage location” for formatting emails. From there, the hackers obtained the information of potentially 11 million patients and posted it on a dark web forum. HCA advises that “hundreds” of U.S. hospitals and physician clinics have been, and will continue to be, affected.
Now HCA is being taken to court for what will likely be the first of several class action lawsuits. The HCA patients who are suing allege that “HCA was negligent in failing to safeguard their personal identifiable and protected health information from unauthorized access and disclosure.” The complaint goes on to explain that “the data stolen in the data breach has been used and will continue to be used in a variety of sordid ways for criminals to exploit plaintiffs and class members and to profit from their misfortune.”
Get serious about cyber defense.
The victims are pursuing monetary damages and a ruling that will require HCA to bolster its data security and monitoring. And they are not alone in their demands; last month, world-renowned Johns Hopkins Health System was hit with its own class action lawsuit. A breach of their third-party file transfer software instigated by a Russian ransomware group is said to have impacted tens to hundreds of thousands of JH patients.
As staggering as these breaches are, they are just 2 of over 300 healthcare security breaches reported to the U.S. Department of Health & Human Services in the first half of 2023. Such breach litigation against healthcare could signal the beginning of consumers-at-large holding all types of organizations accountable for egregious breaches of their privacy. So what can we learn from Healthcare’s litigious woes?
3 Breach Lessons From Healthcare
LESSON 1: Federal records indicate that, between 2010 and 2022, approximately 385 million patient records were exposed in data breaches. If we consider what is generalizeable about the HCA hack, we see that it took place in a corner of their systems that was not regarded as a high security priority. HCA may have apportioned less security attention to their email storage compared to other areas of more obvious risk. But that’s exactly what hackers hope for, as they thrive on striking in unexpected, less protected places to carve an entry into the wider network and more valuable data.
TAKEAWAY: There can be a significant difference between the points hackers will use to get inside and the ones they’re truly after. Therefore, there really is no such thing as a low-priority area of security any more, which rigorous penetration and vulnerability testing and ransomware simulations can help head off.
LESSON 2: Also noteworthy about the HCA hack is the high value of the targeted PHI, or Protected Health Information. Health records can garner upwards of $250 each on the Dark Web, while a credit card number may only go for $5, and social security numbers for a mere $1. PHI also contains a wealth of information that, unlike a password, cannot be easily changed and therefore has an a particularly appealing “shelf-life” to cybercriminals.
TAKEAWAY: While the dark web has its own prices for stolen data, the value to the consumer is driven by their personal cost. The larger/longer/more stressful the negative impact to the consumer, the greater the likelihood of a class action suit, as the victim seeks compensation for long-term exploitation. All the more reason for proactive HIPAA security & privacy risk assessments in healthcare and ongoing vulnerability management in all sectors.
LESSON 3: According to Black Kite, healthcare was the MOST common victim of third-party breaches in 2022 (35%) due to inadequate security protocols across interconnected healthcare systems, as well as the continued pressures of COVID-19. While details of the HCA breach are pending, “external storage location” may point to a third-party breach like Johns Hopkins suffered. But healthcare isn’t the only victim. In 2023 alone, AT&T, LinkedIn, T-Mobile, and Uber are just a few big names to suffer significant third-party breaches.
TAKEAWAY: Your security is only as good as your vendors.’ Don’t be among the 62% of companies who do not monitor this until it’s too late. Assess vendor management risk and proactively prep your emergency response team to curb negative impact of a malicious event and promote quick recovery.
Avoid The Defendants’ Table
Cybercriminals are getting craftier by the day. The good news? You can still proactively remediate vulnerabilities to avoid an operational, reputational, and legal disaster. Consider the à la carte audit options here to customize your next security assessment for your unique environment and budget.