It starts with an often-paralyzing attack on computer systems. Doctors scramble to notify patients awaiting surgery that their procedures have been delayed due to a ransomware attack.
Sometimes a single cyberattack can impact hospitals across multiple states, as was the case when hackers targeted CommonSpirit Health in October 2022. Just one reported case of ransomware has allegedly led to the death of a patient. More often, patients' sensitive information is served up to a market of seedy individuals around the world ready to cash in on someone else's identity.
Drata analyzed Department of Health and Human Services data to determine which states felt the largest impacts due to health care data breaches in 2022. The total number of individuals affected by all health care data breaches in each state reported to HHS was normalized as a rate per 10,000 people. Data was not available for Alaska, Idaho, and Washington D.C.
The HITECH Act, signed into federal law in 2009, requires companies to report the breach of protected health information affecting 500 or more people to HHS. Around 38.5 million people in total were affected in some way by the incidents reported to HHS last year. Unfortunately, the data does not make it possible to know how many people may have been affected by more than one breach.
Health care institutions are among the most targeted businesses in the world, chiefly because they hold such sensitive information about the patients they serve. Hospitals, home health agencies, and other institutions store patients' phone numbers, Social Security numbers, addresses, and other things that would allow any would-be criminal to pose as a patient and open new credit cards or bank accounts in their name.
In fact, roughly 44% of all reported identity theft in 2022 resulted in a fraudulent credit card account being opened, according to Federal Trade Commission data. The agency received a record number of fraud reports in 2021, with the total fraud reports for 2022 coming in on par with 2020. The years 2020 and 2021 marked an important pivot in how consumers shared their personal information, with the adoption of digital banking and retail shopping driven to modern highs as a result of the COVID-19 pandemic.
In 2022, the FBI's Internet Crime Complaint Center received millions of complaints of cybercrime with losses totaling $10.3 billion. It can take time—even years—for personal information compromised in a data breach to be used for a crime that brings the event to the attention of the FBI.
But the pandemic also drove a rise in cyberattacks on hospitals and other health care businesses. And a good deal of that sensitive information begins its journey into nefarious hands when a hacker illegally accesses information at a health care institution.
Sometimes an employee's oversight in crafting an email with the wrong link or attachment can allow unauthorized access to private information, as happened in Wisconsin's Department of Health and Human Services last year. However, the vast majority of data breaches at these companies happen through hacking and IT incidents.
Most often, hackers accomplish this with malware that locks up the data until the victim organization pays the attacker a ransom. The federal government recommends against paying ransoms because companies cannot guarantee that a copy of the data won't be sold to criminals anyway after the ransom is paid, and therefore paying is thought to encourage more of the behavior.
In the top five states where the largest portion of the population was impacted by data breaches at health care organizations last year, all most commonly saw data breaches resulting from hacking.
- People affected per 10,000 residents: 0.4
- Breaches reported: 1
- Most common type of breach: Unauthorized Access/Disclosure
- People affected per 10,000 residents: 0.5
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 2.8
- Breaches reported: 1
- Most common type of breach: Unauthorized Access/Disclosure
- People affected per 10,000 residents: 6.3
- Breaches reported: 20
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 7.4
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 8.1
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 8.6
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 11.2
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 13.2
- Breaches reported: 7
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 13.3
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 13.7
- Breaches reported: 23
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 16.8
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 17.1
- Breaches reported: 11
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 21
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 21.6
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 22.7
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 24.3
- Breaches reported: 20
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 29.1
- Breaches reported: 22
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 29.3
- Breaches reported: 17
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 29.4
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 40.9
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 41.1
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 44.5
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 49.4
- Breaches reported: 31
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 59.5
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 76.2
- Breaches reported: 8
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 81.8
- Breaches reported: 43
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 83.5
- Breaches reported: 11
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 87.4
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 87.9
- Breaches reported: 18
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 91.8
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 94.5
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 97.8
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 116.8
- Breaches reported: 8
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 136.6
- Breaches reported: 18
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 139.7
- Breaches reported: 40
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 140.3
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 188.5
- Breaches reported: 21
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 196.1
- Breaches reported: 2
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 208.6
- Breaches reported: 21
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 213.2
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 232.8
- Breaches reported: 27
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 306.1
- Breaches reported: 14
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 335.5
- Breaches reported: 13
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 395.8
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 655.2
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 703.9
- Breaches reported: 7
- Most common type of breach: Hacking/IT Incident
- People affected per 10,000 residents: 743.2
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
Data reporting by Dom DiFurio. Story editing by Jeff Inglis. Copy editing by Tim Bruns. Photo selection by Elizabeth Ciano.
This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
