The Matrix

Traditional Health Data Breaches Are Continuing

Breaches of healthcare systems are continuing at an aggressive pace. According to Emsisoft Malware Lab, so far this year, at least 25 healthcare providers operating 290 hospitals have been impacted by ransomware. A recently published security industry report by the Ponemon Institute and IBM Security states that, for the 13th straight year, healthcare continues to be the industry with the most expensive data breaches. According to the report, the average cost of a healthcare data breach is $11 million (an eight percent increase from last year and a 53% increase since 2020).  For comparison, the financial industry has the second highest average data breach, with an average cost of six million dollars. 

A few recent examples on healthcare systems include:

• In November 2023, a healthcare system operating 30 hospitals across six states said in a statement that a ransomware attack had led to it proactively taking its networks offline on Thanksgiving, requiring the system to reschedule some elective procedures and divert some emergency room patients to other area hospitals.
• In February 2023, a private community healthcare system was forced to divert emergency patients to other hospitals and cancel all nonemergency surgeries due to a ransomware attack. 
• In January 2023, a threat actor targeted hospitals across 25 states in the United States with a series of “denial-of-service” attacks, leaving many hospitals offline for hours.
• At the end of 2022, a ransomware attack against a major U.S. health system compromised the data of over 600,000 patients, interrupted access to electronic health records and resulted in delayed care for many patients.  The health system reported over $160 million in losses due to this breach.

These incidents highlight the growing trend for threat actors to attack health systems. Industry reports indicate that, since the COVID-19 pandemic, several reasons exist for this trend: (1) resignations and burnout have left the industry short staffed and slower to respond to cyberattacks; (2) the ability to work from home and use remote log-ins has created more entry points for attackers; and (3) COVID-19 surges and supply chain disruptions have diverted funds to more emergent needs than cyber security measures. Put simply—health systems are “data-rich” targets that may have weaker mitigation tools compared to certain other business sectors. Moreover, data breaches of healthcare systems are increasingly resulting in the entities facing class action lawsuits alleging negligence and other claims.

The FTC’s Expanding Definition of a Health Data Breach

Recent activity by the FTC has expanded the scope of health data breaches. Earlier this year, the FTC announced a notice of proposed rulemaking to amend the HBNR. Among other things, the proposed changes are aimed at clarifying what constitutes a breach that triggers the rule’s notification requirements. The HBNR applies to consumer technologies that handle health information beyond HIPAA covered entities, such as health apps and fitness trackers and monitors. In the event of a breach of security of unsecured personal health records, the HBNR requires certain notifications to consumers, the FTC and, in some cases, media outlets. The HBNR solely requires notification for breaches of unsecured health information, which is considered health information that is not secured through technologies or methodologies specified by the U.S. Department of Health and Human Services. The FTC’s rulemaking followed a policy statement that it issued in September 2021, in which the FTC broadly construed a breach – suggesting, for example, that a health app’s disclosure sensitive health information “without users’ authorization” constituted a “breach of security” under the HBNR. The FTC’s proposed rulemaking utilizes a similarly broad definition of breach of security.

 The FTC recently has enforced the HBNR against companies that allegedly disclosed sensitive health information without authorization.  For example, the FTC alleged that Easy Healthcare violated the HBNR by sharing sensitive health information of individuals using its period tracking app for advertising purposes. The developer agreed to pay a $100,000 civil penalty and was permanently barred from sharing users’ personal health data with third parties for advertising. In addition, GoodRx paid $1.5 million for alleged FTC Act and HBNR violations, including sharing sensitive personal health information with advertising companies and failing to report these unauthorized disclosures per the HBNR. Notably, under the FTC’s recent actions, data such as email and IP addresses alone arguably could be considered sensitive and require express affirmative consent in instances where disclosure of that information to a third party would implicitly disclose the consumer’s sensitive health information. Based on the FTC’s enforcement, companies should carefully consider whether information they collect links to sensitive health information and whether disclosure of that information requires affirmative consent to avoid being considered a breach of security under the HBNR. 

From the traditional concept of a data breach in the healthcare industry to the recent evolution of what it means to be a data breach, health systems and non-HIPAA entities alike should take care when interacting with health information on all platforms. The continued rising costs of healthcare data breaches and recent proposed changes to and enforcement of the HBNR demonstrate the heightened importance of strengthening current security positions (as well as the devastating costs when such positions fail) and more closely monitoring the use and disclosure of health information to keep up with the evolution of digital health.