October is Cybersecurity Awareness month. Follow our coverage for expert commentary, best practices, and news in healthcare.
According to SonicWall’s 2024 Healthcare Threat Brief, at least 14 million US patients have been affected by malware breaches, as outdated systems leave healthcare providers vulnerable to evolving ransomware threats. According to Cybersecurity Magazine, the total cost of cybercrime is projected to be upwards of $9 trillion in 2024, growing to over $10.5 trillion in 2025. 2024 has seen the costliest technology outage in history.
Entities are required to notify HHS Office for Civil Rights of breaches that affect 500 individuals or more. You can find notifications that are currently under investigation on their site.
Here are notable healthcare cyber incidents so far this year that have impacted and in many cases disrupted care delivery.
Concentra Health Services
On January 9, 2024, Concentra confirmed that the protected health information of nearly 4 million patients was compromised in the PJ&A cyberattack. Concentra is a Texas-based provider of occupational medicine and urgent care. According to a statement released by Concentra in February, “This event occurred solely at PJ&A and was not the result of any activities or inactions on Concentra’s part.”
Change Healthcare
On February 21, 2024, Change Healthcare became aware of deployment of ransomware in its computer system. UnitedHealth Group’s Change Healthcare identified the group claiming responsibility for the cyberattack as ALPHV/Blackcat. he attack compromised the sensitive personal information of millions of individuals, making it one of the largest healthcare breaches in history. According to The HIPAA Journal and its on going coverage, the cost of the attack has risen to $2.457 billion, according to UnitedHealth Group’s Q3, 2024 earnings report.
HealthEquity Inc.
On March 25, 2024, HealthEquity was alerted to unusual activity. The breach involved a vendor’s user accounts that had access to an online data storage location (SharePoint). HealthEquity stated that there was no unauthorized access to its core systems. The company manages millions of HSAs, HRAs, and other benefit accounts. The breach affected 4.3 Million members’ Health Savings Account records.
Kaiser Foundation Health Plan, Inc.
On April 12, 2024, U.S. health conglomerate Kaiser Foundation Health Plan, Inc. (Kaiser) filed with the U.S. Department of Health and Human Services (HHS), reporting that 13.4 million of its members’ information was taken in a data breach. The healthcare company confirmed the data breach occurred due to unauthorized access on its network servers after the company shared its patients’ information with third-party advertisers, including Google, Microsoft, and X.
Ascension
In May 2024 St. Louis, MO-based Ascension fell prey to a ransomware attack. Ascension is one of the largest health systems in the United States, with some 140 hospitals located across 19 states and DC. By September reporting in their fourth quarter financials showing an $1.8 billion operating margin loss by the end of its fiscal year.
Acadian Ambulance Service
Between June 19 and June 21, 2024. Acadian became aware of suspicious activity on June 21, 2024, and immediately took steps to secure their systems. The investigation determined that unauthorized access to Acadian’s network occurred during that time, and that certain files and folders may have been taken without authorization. In August they reported the breach to the HHS’ Office for Civil Rights as involving the protected health information of 2,896,985 individuals.