Medical records of 42 MILLION Americans leaked since 2016 as cyberattacks on hospitals DOUBLED, report warns
- Millions of medical information from Americans are sold on the dark web every year
- There are now more than 90 cyber attacks on healthcare providers each year
- Leads to dangerous supply interruptions, e.g. B. Delays in ambulances or canceled calls
Cybercriminals have accessed the medical records of more than 40 million Americans since 2016, when the number of hacks into healthcare systems doubled.
About half of the hacks caused dangerous supply disruptions, such as B. Ambulance delays, canceled surgeries, and difficulty accessing digital prescriptions.
One in six IT breaches resulted in personal health information being stolen and sold on the dark web, according to a report released today.
Researchers warned that the increasing frequency and sophistication of healthcare cyberattacks threaten patient safety and privacy. They claim the US government is failing to take action against healthcare providers who don’t secure their systems or report ransomware attacks quickly enough.
Last month, reported how a toddler in Iowa was accidentally given a megadose of opioids and “urgent” cancer patients had their surgeries delayed by a month after a multi-state hospital’s IT system went down.
The number of cyberattacks on healthcare providers has more than doubled since 2016, with 91 per year in 2021 versus 43 five years ago
Up to 80 percent of the hacks resulted in business disruptions — which lasted for weeks
The latest analysis by researchers at the University of Minnesota in Minneapolis examined 374 ransomware attacks in the US between January 2016 and December 2021.
The results showed that the frequency of hacks more than doubled in that time, from 43 breaches in 2016 to 91 last year.
Cyber criminals also appear to be getting bolder as the number of attacks targeting large organizations across multiple states increases.
Ransomware is a type of malicious software designed to block access to a computer system until an amount of money is paid.
Without access to patient records and other hospital programs, including medication dispensing systems, doctors and nurses are effectively treating patients in the dark.
Almost half (44%) of ransomware attacks disrupted medical care, with one in 10 resulting in canceled appointments or surgeries, and 4% causing an ambulance to be diverted.
Overall, the medical records of 41.9 million Americans were accessed during that time, but hackers became much more adept at obtaining patient information.
About 1.3 million records were accessed in 2016, compared to more than 16.5 million in 2021—an 11-fold increase.
In all 374 attacks, about one in five healthcare organizations was reportedly able to recover data from backups.
But in 16 percent of ransomware attacks, there was evidence that ransomware actors had made some or all of the stolen medical information public, typically by posting it on dark web forums.
Of hacks in the last five years, 9 percent caused disruptions that lasted two or more weeks.
However, the researchers say the actual number of cyberattacks is “probably underestimated due to underreporting.”
Department of Health (HHS) guidance states that healthcare providers must report a ransomware attack if more than 500 people are affected.
However, the researchers warn that there is confusion over whether hacks need to be reported through official channels when it comes to encryption but not actual removal of data from computer systems.
They wrote in the report: “Furthermore, current reporting requirements lack either an enforcement mechanism or a penalty for non-compliance.
“Even when an organization reports an attack, there are no sanctions outside of the 60-day window required by law, which could explain the high proportion (53.5 percent) of ransomware attacks with delayed reporting.
“Instead of healthcare organizations correcting themselves when ransomware attacks become more prevalent, we’ve seen an increase in the proportion of late-reported attacks over time.
“Lacks of attack and late reporting present opportunities for lawmakers looking to increase data collection related to cyberattacks, particularly ransomware, to inform an informed and targeted policy response.”