Healthcare cyber attacks and data breaches have risen in recent years, according to The HIPAA Journal. The year 2023 set two records: the most reported healthcare data breaches (725) and the most breached records (more than 133 million).
Several major breaches have made headlines. In February 2024, Change Healthcare, whose technology powers the processing of some 15 billion medical bills and insurance claims a year, suffered a ransomware attack. The attack not only froze large portions of the Change Healthcare system but also led to exposure of the protected health information (PHI) of potentially one in three Amercians.
In May 2024, Ascension, one of the nation’s biggest nonprofit healthcare systems, suffered a ransomware attack that closed pharmacies, forced ambulance diversions, and prevented electronic health records (EHR) access across its 140 hospitals. Although hackers gained access to only a few servers, they exfiltrated files likely containing protected personal information.
Both the Ascension ransomware attack and Change Healthcare data breach illustrate the consequences healthcare cyber attacks can have for patients and the organizations responsible for protecting their data.
As a Cyber Insurance broker, you can do much to help healthcare clients safeguard sensitive information, reduce their risk of data breaches, and respond effectively should one take place.
Possible Consequences of Healthcare Data Breaches
The Health Insurance Portability and Accountability Act (HIPAA) mandates healthcare providers and other covered entities keep sensitive patient information private and secure. In HIPAA breaches, that information is accessed or exposed without patients’ authorization.
HIPAA breaches include compromises of individuals’ data through:
- Ransomware and other malware attacks
- Social engineering attacks (such as phishing emails)
- Lost or stolen devices
- Lack of adequate (or any) encryption
- Lack of proper cyber security measures [for example, multifactor authentication (MFA)]
- Employee negligence
- Improper records disposal
The Change Healthcare cyber attack, for instance, occurred because its server lacked basic multifactor authentication security. Meanwhile, the Ascension Healthcare cyber attack began when an employee mistakenly downloaded a malicious file.
However it happens, once PHI is in bad actors’ hands, they can abuse it to wreak havoc on people’s lives. Patients can find themselves vulnerable to financial and emotional distress. They may spend years repairing their credit and financial records.
HIPAA breaches can also damage a healthcare organization’s reputation. A damaged reputation leads to broken trust, lost customers, and decreased revenue.
And healthcare cyber attacks can have legal and financial repercussions. Under HIPAA, healthcare providers, health plans, healthcare clearinghouses, and other entities, as well as their business associates, can face financial penalties.
The Office for Civil Rights, the Department of Health and Human Services agency that enforces HIPAA, can impose penalties ranging from $137 to $68,928 per violation. The maximum penalty is $1.5 million per year for repeated violations of the same provision.
The penalty’s size depends on the severity of the violation, the organization’s level of culpability, and its efforts to correct the violation. A violation due to willful neglect not corrected within the required time frame, for example, will result in a higher penalty than one promptly addressed and mitigated.
Help Your Clients Respond to and Reduce Their Risk of HIPAA Breaches
Threat actors relentlessly mount healthcare cyber attacks because PHI is so lucrative on the illegal market. The medical practices, hospitals, and other healthcare organizations you serve as a broker must realize the question is more likely when they will face a HIPAA breach rather than if.
How can you help your healthcare clients respond to a data breach?
You can teach clients the importance of having a comprehensive incident response plan in place before a breach occurs. The plan should include:
- Instructions for timely notification of internal stakeholders, external experts (including legal counsel and digital forensic experts), law enforcement and regulatory agencies, and affected individuals
- Clear definitions of the roles of management, IT, and other departments
- Step-by-step instructions in best incident response protocols
You should also stress preventive measures your clients can take to reduce the risk of future breaches. These steps include:
- Implementing robust cyber security measures such as encryption and multifactor authentication
- Carrying out regular risk assessments
- Conducting regular staff training on security best practices
How Cyber Insurance Coverage Benefits Your Healthcare Clients
The financial penalties for HIPAA breaches are stark reminders of the costs associated with failing to safeguard patients’ sensitive information.
One of the best ways to help your clients mitigate the financial risks of healthcare data breaches is by quoting and selling them a strong, comprehensive Cyber Liability Insurance policy.
There are many costs associated with data breaches and other cyber incidents, and Cyber Insurance coverage assists with:
- Notifying affected individuals
- Providing credit monitoring services
- Managing the public relations fallout from a data breach
- Conducting a forensic investigation to determine the cause of the breach
- Implementing necessary security measures to prevent future incidents
- Defending against lawsuits or regulatory penalties
A Cyber Liability Insurance policy can give healthcare organizations valuable financial protection in the face of ever-evolving cyber threats.
Watch our Cyber U video about why healthcare organizations need Cyber Insurance. Show it to your healthcare clients. Then register with ProWriters so you—with less effort and in less time— can use the Digital IQ Comparative Rate Platform to research and quote the Cyber policies they need, without sacrificing their protection or peace of mind.