More than 88 million people have been affected by health data breaches this year

Even with two months left in 2023, far more people have been affected by breaches of private health data than last year.

More than 88 million individuals have been affected by large breaches of personal health information, according to the U.S. Department of Health & Human Services. Organizations are required to notify the department about any breaches of health data affecting more than 500 people.

The number of people affected by health data breaches has risen by 60% in 2023, the health department says. The department said 77% of the large breaches this year have come from cyberattacks. Some breaches of data have also involved the inadvertent disclosure of health information through tracking technologies on systems’ websites.

• Read more: Emerging cybersecurity threats in healthcare: Special Report

Over the past four years, there has been a 239% increase in the number of large breaches involving hacking reported to the HHS Office of Civil Rights, which tracks data breaches.

The health department included the 2023 figures in a news release about a settlement with a Massachusetts organization over a breach of health data.

Federal officials said they reached a $100,000 settlement with Doctors’ Management Services, a Massachusetts company that provides medical billing and other administrative services. The organization suffered a ransomware attack that affected the electronic health information of 206,695 individuals, the health department says. The breach occurred in April 2017 but wasn’t detected until December 2018, HHS says.

More hospitals and healthcare organizations have suffered ransomware attacks this year. In the first half of 2023, more than 220 hospitals were affected by cyberattacks, according to the American Hospital Association.

HCA Healthcare, the nation’s largest for-profit hospital system, said in July that it suffered a cyberattack that may have affected as many as 11 million individuals. In a statement, HCA described the incident as “a theft from an external storage location exclusively used to automate the formatting of email messages.”

Several other organizations have reported breaches of private health information affecting more than 1 million individuals.

Cybersecurity experts say hospitals and other healthcare organizations are tempting targets for hackers because of the value of private health information. In addition, bad actors have learned that health systems will often pay to regain access to their data and the restoration of critical systems, including electronic health records.

Federal authorities recommend health systems shouldn’t pay ransom demands. However, cybersecurity experts acknowledge that it can be a difficult decision for hospitals that want to serve their patients and protect their systems.

Cyberattacks can be costly to health systems. The average health data breach costs organizations an average of nearly $11 million, according to IBM Security.

However, researchers and cybersecurity experts are increasingly warning health systems about the risk cyberattacks pose to patient care.

The Joint Commission published some guidelines in August for hospitals and health systems to respond to cyberattacks and continue caring for patients. The commission said hospitals should be prepared to care for patients without key electronic systems for weeks.

Cybersecurity experts spoke with Chief Healthcare Executive® about emerging threats for healthcare organizations.