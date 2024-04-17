Over 7 million people's medical information in New York State was stolen or exposed last year, a USA TODAY analysis of Health and Human Services data found.

After breaking records in 2023, the most significant breach hit in February when a ransomware attack targeted Change Healthcare, the nation's largest health care payment system owned by UnitedHealth Group. The company handles a third of all patient records and processes 15 billion health care transactions a year, according to an HHS letter.

The COVID-19 pandemic accelerated the use of remote and third-party technologies, making the health care ecosystem more interconnected and vulnerable to cyberattacks, said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. These technologies can help deliver care to patients wherever they are, but they also give hackers broader access to health care systems and records.

Since 2019, data breaches targeting third-party vendors contracted by hospitals have more than tripled, growing at a significantly faster rate compared to attacks aimed directly at traditional health care providers, USA TODAY’s analysis of HHS data showed.

“The bad guys have figured it out,” Riggi said. “They realized, ‘Why hack 1,000 hospitals when I can hack the one common business associate and get all the data?’”

Cyberattacks on hospitals disrupt patient care and pose risks to patient safety. Surgeries are canceled or rescheduled. Patients and ambulances get diverted. Patients’ protected health information and personally identifiable information are exposed. When clearinghouses and health care payment systems are targeted, billing and payment issues can persist for months.

“It’s just going to get worse,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.

What to do: Here are steps you can take if your medical information has been stolen.

Has your health information been exposed in New York?

Federal law requires health care organizations to report security breaches that expose patient information to Health and Human Services. Patients can search by company name, breach type, or company location to see if their health information has been compromised. Don’t see a searchable database? Click here.

What is the main cause of health care data breaches?

Cyberattacks aren’t uniquely a health care problem, but the industry is a major target because of the abundance of financially valuable personal information, said Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.

Hacking incidents are the most common type of health data breach, accounting for more than half of the cases going back to 2009, USA TODAY’s analysis found.

Ransomware attacks are becoming more common, Weiss said, where cybercriminals demand large sums of money to restore access to sensitive medical data. The health care industry is affected by ransomware attacks more than any other critical infrastructure sector, according to a 2023 internet crime report by the FBI.

Compared to other sectors, “health care is more inclined to pay because ultimately lives are at stake,” Weiss said.

“It’s a self-serving prophecy,” he said. “Because organizations are paying the ransoms, we're seeing a very expected evolution in the increase in the number of attacks.”

Not all hospitals and health care organizations have enough money, technology and staff to protect themselves, Riggi said.

“The health care sector is woefully behind when it comes to resourcing cybersecurity and information security,” Weiss said.

“We’re really playing catch-up.”

