Outpatient Facilities Now Top Targets for Healthcare Data Breaches

Cyber criminals are shifting their healthcare data breach targets away from hospitals and onto outpatient facilities and business associates, a new report shows.

By Jill McKeon

August 30, 2021 - Hackers are changing their tactics when it comes to healthcare data breaches in 2021. As hospitals struggled to combat COVID-19 in 2020, cyber criminals added to the chaos by infiltrating networks, threatening to release medical information online, and demanding ransoms from increasingly desperate hospitals.

But in the first half of 2021, outpatient facilities and specialty clinics fell victim to healthcare data breaches nearly as often as hospitals, according to a new report published by Critical Insight. In addition, business associates accounted for 43 percent of all healthcare breaches, which validated a three-year upward trend.

The number of breaches in 2021 was higher than the first six months of last year and any six-month period between 2018 and the first half of 2020, researchers found.

The report examined HHS’s data breach portal to garner valuable insights on the shifting trends in healthcare data breaches. The portal displays all reported healthcare data breaches along with the number of individuals impacted, entity type, and location of the breached information.

HHS breaks down healthcare cybersecurity incidents into five main categories: hacking/IT incident, improper disposal, loss, theft, and unauthorized access/disclosure. Researchers discovered that more than 70 percent of the data breaches reported in the first half of the year were categorized as a hacking/IT incident.

As hospitals adjust their cybersecurity strategies to prepare for the likely event of a cyberattack, hackers have been forced to look elsewhere for targets. As a result, outpatient facilities and business associates should now be on high alert.

In the first half of the year, 141 breaches reported to HHS involved business associates, compared to 44 in the first half of 2018.

“The causes of breaches at third-party vendors can run the gamut, ranging from poor access controls that fail to prevent vendors from seeing restricted data to phishing attacks,” the report explained.

“As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain.”

An increase in hacking/IT incidents led to a 77 percent increase in the number of breaches in the first half of 2021 compared to the first half of 2018.

It is unsurprising that hackers have chosen to aggressively attack the healthcare industry, researchers emphasized. Protected health information (PHI) is valuable in many ways. Hackers can sel