Existing and Emerging Cyber Risks in the Healthcare Sector

The healthcare industry is facing unprecedented challenges, not only as a result of COVID-19 but also from existing and emerging cyber risks. Historically, threat actors have targeted the industry due to its vast collection of valuable medical data. However, the risks for the industry have grown more acute recently, as COVID-19 forced more of the workforce into remote work and increased the use of telehealth to provide patient care. The risks have also grown due to the increased interconnectivity of the healthcare ecosystem and the rising reliance on outside vendors and suppliers, as well as a consolidation of those outside vendors and suppliers. All of these changes have expanded the attack surface for threat actors to exploit.

According to data reported by the US Department of Health and Human Services (HHS), 2024 saw an average of 62 data breaches per month in the healthcare sector. As of November 1, 2024, more than 170 million records have been breached. (Alder, October 2023 Healthcare Data Breach Report 2023) In light of the Change Healthcare ransomware attack — which was the largest reported cyberattack in healthcare — and threat actors' increasing focus on exploiting supply chains, the industry is waiting to see what 2025 brings in terms of compromised records. To date, however, 2024 was the worst year for the number of breached healthcare records.

Ransomware, hacking, vulnerability exploits, supply chain attacks, and phishing attacks against organizations and their third-party vendors continued to rank among the top causes of data breaches in the industry. Not only are the costs of a data breach substantially higher for the healthcare industry compared with other industries, but the industry is also facing significant enforcement activity and class action lawsuits. The healthcare industry's ability to manage these exposures through cyber insurance is also becoming more costly and difficult, driven by greater scrutiny being placed on organizations' cybersecurity controls during the underwriting process.

The Ransomware Threat

One of the main drivers for the increase in data breaches in the healthcare sector over the past year is the continuously growing threat of ransomware. According to The HIPAA Journal, 2024 was a significant year for ransomware attacks across the board, and healthcare ransomware attacks continue to increase in number and severity. An analysis by the cybersecurity firm Sophos advises that "ransomware attacks continue to increase in healthcare despite a fall in attacks in many other sectors, according to the State of Ransomware in Healthcare 2024." (Semisoft 2024) Globally, healthcare has the second-highest attack rate, behind central/federal government, with a rate of 68%.

Not only are ransomware attacks in healthcare increasing, but recovery is taking longer due to the increased complexity and severity of attacks. In 2023, 28% of surveyed healthcare organizations said it took more than a month to recover from a ransomware attack. In 2024, 37% of healthcare organizations said it took more than a month to recover from an attack. In 2022, 54% of attacked healthcare organizations said they were able to recover in less than a week, compared with 47% in 2023 and just 22% in 2024. (Alder, At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 2024)

As noted above, a key driver for this increase was the expansion of the attack surface, whether through remote working or increased use of vendors and suppliers. Threat actors exploited new vulnerabilities this transition created to launch email phishing attacks, which are a top vector for ransomware attacks. (Coveware n.d.) Ransomware attacks are enormously disruptive to organizations from an operational, legal, financial, and patient care perspective.

The following recent ransomware attacks are among the most severe.

The Change Healthcare Ransomware Attack

The largest attack in 2024 was the Change Healthcare mega-attack. Change Healthcare, a unit of Optum and a subsidiary of UnitedHealth Group, provides a wide range of critical IT applications to healthcare sector organizations, from claims processing and pharmacy benefits to eligibility checks and prior authorization. The company says its technology is used to process 15 billion healthcare transactions annually, and its clinical connectivity solutions touch one out of three patient records in the US. (McGee 2024) Millions of Americans use Change Healthcare's platform, either directly or indirectly, as it serves as a backend service provider for various healthcare insurance providers in the US. On February 21, 2024, Change Healthcare publicly disclosed it was hit with a ransomware attack by the BlackCat/ALPHV ransomware gang.

The impact has been devastating for the healthcare industry and the hundreds of millions of Americans who rely on services powered by victimized providers. Physicians and hospitals have been impacted in their ability to bill, manage, and issue prescriptions and healthcare procedures. Pharmacies were unable to properly fill prescriptions, and many providers and individuals experienced financial hardship. The full extent of the business disruption caused is still being quantified. Stolen data includes medical records, Social Security numbers, and information on active military personnel. The American Hospital Association has called it "the most significant cyberattack on the US healthcare system in American history." (Pollack 2024)

The Ardent Ransomware Attack

Before Change Healthcare, one of the most significant attacks was the 2023 attack on Ardent Health Services, which oversees 30 hospitals across the US. One report noted that Ardent's hospitals in three states had to divert patients from their emergency rooms as a result of the ransomware attack. Ardent had to shut down a significant number of its computerized services, "including clinical programs and its use of Epic Systems, a program that tracks patients' healthcare records." (Collier 2023)

Patient care can also be impacted at nearby facilities that accept the diverted patients. A research paper published in May 2023 concluded that nearby hospitals that need to deal with the additional patients may experience "resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of healthcare delivery at non-targeted hospitals within a community and should be considered a regional disaster." (Dameff, et al. 2023)

The Postmeds Ransomware Attack

An attack on Postmeds, Inc., a company that does business under the name Truepill and fulfills mail-order prescriptions for pharmacies, resulted in a massive data breach affecting over 2.3 million individuals. As is common, a breach of this magnitude will almost certainly result in a slew of class action lawsuits, some of which have already been filed. The cost of this ransomware attack is yet to be determined, but it could cost Postmeds tens of millions of dollars. (Page 2023)

The MOVEit Transfer Ransomware Attack

Threat actors are continuing to evolve their ransomware attacks to maximize payouts. Most notable in 2023 was the Clop ransomware group's exploitation of Progress Software's MOVEit Transfer product. In the attack, the threat actors exploited a bug in the product, which thousands of organizations, including healthcare organizations, use to transfer sensitive files. More than 2,300 organizations are known to have been affected, with more than 60 million records stolen. (Alder, October 2023 Healthcare Data Breach Report 2023) The MOVEit attack demonstrates the devastating downstream effects when threat actors target a commonly used product.

As more organizations become more savvy about backing up data for business resilience, threat actors are now using what is known as the double extortion method; instead of simply encrypting files and hoping the victim cannot recover their data, they're also stealing data before encrypting it. Thus, a ransom must be paid for the decryption tool and the deletion of the stolen data. If backups are viable, then the cybercriminal can at least demand ransom for the deletion of the stolen (and presumably sensitive) data. Threat actors know healthcare data is particularly valuable.

What Happens Immediately After a Ransomware Incident?

One of the first questions that must be addressed following a ransomware incident is whether the organization should pay the ransom. This question requires thoughtful consideration of a number of factors. For example:

• Whether it has viable backups from which it can restore its data if it doesn't pay the ransom. Even if it does have viable backups, it could still take weeks, or months, to fully restore an organization's data. Under such circumstances, paying a ransom might be the most expedient solution.
• Whether the criminal organization behind the incident has a history of living up to its promises.
• Whether the threat actors may have exfiltrated data off the victim's network and are threatening to publish it if payment isn't made, which is increasingly the case.

Most recently, threat actors have been using the double extortion method of demanding ransom for both the decryption and deletion of exfiltrated data. If an organization does decide to make a ransom payment, before the payment is made, it must confirm that the threat actor isn't a sanctioned group under the US Department of the Treasury's Office of Foreign Assets Control. Otherwise, it may face sanctions.

Cybersecurity vendors who specialize in negotiating and responding to ransomware incidents can provide critical assistance to organizations in dealing with a ransomware incident. One of the many benefits of cyber insurance is having immediate access to the cyber insurance carrier's panel of experienced and vetted cybersecurity vendors, including breach counsel, forensics, and ransom negotiators. These vendors can help organizations assess and effectively respond to ransomware incidents. The breach counsel is instrumental in protecting the attorney-client privilege of the investigation and advising on regulatory notification and consumer notification requirements and the timing of such requirements. Counsel will also work with victims on notifying law enforcement, such as the Federal Bureau of Investigation's (FBI's) Internet Crime Complaint Center (ICCC), since reporting such incidents provides law enforcement with a greater understanding of the threat.

Other Cyber Risks Affecting Healthcare Organizations

Aside from ransomware incidents, healthcare organizations need to manage and guard against numerous other types of cyber threats. While this article won't detail all of the cyber threats impacting the healthcare sector, we focus on several of the most significant risks below.

Third-Party Vendors and Supply Chain Attacks

According to The HIPAA Journal, cyberattacks on vendors and business associates of healthcare organizations have "increased to the point where attacks on business associates now outnumber attacks on healthcare providers." (Alder, Healthcare Organizations Most Common Victims in 3rd Party Data Breaches 2023) In 2023, Black Kite, a vendor risk management company, analyzed 63 third-party breaches that affected at least 298 companies and reported a doubling of the impact and destruction those breaches caused. In 2021, an average of 2.46 companies were affected by each third-party breach, with the number of affected companies increasing to an average of 4.73 per breach in 2022. (Alder, Healthcare Organizations Most Common Victims in 3rd Party Data Breaches 2023)

In addition to the Change Healthcare ransomware attack, the MOVEit incident in 2023 also highlighted the risks to the healthcare industry in relation to third-party vendors. MOVEit, a popular managed file transfer tool owned by Progress Software, contained a vulnerability that the Clop ransomware gang exploited for monetary gain, impacting thousands of companies and approximately 78 million people globally. (Kaur 2023) Clop threatened to identify these victim companies and publish stolen data if a ransom wasn't paid. Several healthcare organizations were affected, and sensitive data was exposed, including patient medical histories and personal information. Progress Software is now facing regulatory investigations, as well as more than 20 lawsuits for breach of contract, negligence, and invasion of privacy. Several healthcare organizations are also now being named in class action lawsuits arising out of the MOVEit incident, and more lawsuits are expected to be filed in 2024.

Hacking Incidents

Hacking is the largest root cause of data breaches in the healthcare industry. In October 2024, hacking was responsible for about 81.7% of that month's reported breaches, up from 77.5% in the previous year. Similarly, hacking accounted for 99.1% of the month's breached records (5,183,578 just for October 2024). The average breach size was 112,656 records. (Alder, October 2023 Healthcare Data Breach Report 2023)

Hacking incidents can often be traced to leaked credentials. One reason why data breaches are more costly in healthcare than in other industries is that the average time to identify and contain a data breach in healthcare is longer. In general, the length of a hacking incident correlates with the cost of resolving the incident.

Phishing

Hackers are also continuing to rely on email phishing as a key strategy to target victims in healthcare organizations. Phishing emails are frequently used to spoof a trusted sender and trick unsuspecting victims into entering their credentials on a fake login page. In addition, phishing campaigns frequently deliver malware, including ransomware. Other malware variants can allow hackers to steal data, capture keystrokes, take screenshots, and launch malicious code.

One of the largest phishing attacks in the healthcare industry in 2023 involved AllCare Plus Pharmacy. In that attack, nearly 6,000 individuals potentially had their protected health information (PHI) exposed due to an email phishing attack that led to unauthorized access to the email accounts of several AllCare Plus Pharmacy employees. (Rodriguez 2023)

Insider Threats

While high-profile data breaches by threat actors generally capture news headlines, a significant percentage of breaches are the result of basic employee negligence, including unauthorized access or disclosure incidents. This negligence includes employees bringing PHI home or sending PHI to a personal account or device, viewing data without the proper authorization, and making email errors, such as sending PHI to incorrect recipients.

Healthcare organizations have made significant strides in tightening their administrative, physical, and technical controls, leading to a decrease in these types of incidents.

Artificial Intelligence

Many healthcare organizations are adopting artificial intelligence (AI) to assist medical professionals and staff, provide 24/7 patient services, deliver quicker diagnoses and treatment, reduce costs, and provide better scalability across all business functions.

However, threat actors are similarly adopting the use of AI in cyberattacks. Threat actors can use AI to:

• Easily create new malware, find new zero-day vulnerabilities, and bypass detection.
• Create more sophisticated, original, and targeted phishing attacks and draft phishing emails in multiple languages to appear more credible.
• Quickly analyze exfiltrated data to locate valuable personally identifiable information (PII) and PHI to make more credible threats and extort more money.
• Target AI models themselves, manipulating AI algorithms to provide incorrect diagnoses or treatment recommendations, potentially endangering patients' lives.

Duty to Notify Patients, Regulators, and Business Partners

Following a cyber incident — including a data breach — organizations may have a legal duty to report the incident, depending on the nature of the incident and/or the type of data that was potentially compromised. This duty may be based on contractual requirements, state law, or federal law.

Healthcare organizations that are considered a "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA), as well as their "business associates," are required to report certain cyber incidents to the Office of Civil Rights (OCR) pursuant to HIPAA. Under the HIPAA Security Rule, a ransomware attack is considered a "security incident." Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures.

For organizations governed by the Securities and Exchange Commission (SEC), a new rule that went into effect on December 15, 2023 requires that domestic public companies report material cybersecurity incidents through a Form 8-K within four business days of discovery (with limited exceptions).

Organizations may also have a duty under state law to notify affected individuals and/or regulatory authorities of a breach of PII and PHI. Organizations must comply with the notification laws of the states in which the affected individuals reside, which may have different definitions of what constitutes PII, as well as different notification requirements. Organizations may also have contractual obligations to notify certain business partners in the event of a data breach.

The decision of whether to notify, who to notify, and how to notify often requires complex legal analysis. Therefore, it's strongly recommended that organizations consult with legal counsel before sending notifications. Improper notification could have negative consequences for an organization, including an increased likelihood of class actions, regulatory actions, and regulatory fines.

Furthermore, consulting with legal counsel experienced in handling data breach matters can help organizations better respond to the numerous inquiries they're likely to receive following the breach notification.

Finally, having the proper incident response plan in place, including breach counsel and other incident response vendors, can help the affected organization become more resilient.

Post-Breach Regulatory Investigations and Class Action Litigation

Unfortunately, completing an investigation and notifying of a breach doesn't necessarily signify the end of a cyber incident. In many cases, it merely marks the beginning of class action lawsuits and regulatory proceedings against the organization, both of which can result in multimillion-dollar settlements.

The US Department of HHS' OCR has the responsibility to enforce the Privacy and Security Rules of HIPAA, the standards for the protection of certain PHI through voluntary compliance activities, and the imposition of civil monetary penalties. In 2023, the OCR engaged in significant enforcement activities against healthcare organizations. One major development was the OCR's recent settlement with Blackbaud, a company that provides donor relationship management software. Blackbaud agreed to a $49.5 million settlement and substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules relating to a 2020 data breach that exposed the PHI of nearly 5.5 million individuals. The OCR also entered into a $1.4 million settlement with Inmediata over HIPAA Privacy and Security Rules violations stemming from a 2019 data breach that impacted over 1.5 million individuals' PHI. In light of the Change Healthcare ransomware attack affecting countless organizations and individuals, we expect the coming year to involve significant enforcement activity.

The OCR's enforcement activity is also likely to ramp up in light of the HHS' concept paper, published in December 2023, which outlines a cybersecurity strategy for the healthcare sector. (US Department of Health and Human Services 2023) The strategy advises that HHS will establish voluntary Cybersecurity Performance Goals to help healthcare institutions plan and prioritize the implementation of high-impact cybersecurity practices. In addition, the strategy indicates that HHS will implement plans to support greater enforcement and accountability. Such strategies include requesting that Congress expand its enforcement authority and increasing civil monetary penalties. This concept paper was recently published and will be closely followed by the healthcare sector, as the Cybersecurity Performance Goals are very likely to become regulatory requirements.

Healthcare organizations also face significant potential risk of state and federal class action lawsuits following a data breach. Such lawsuits will typically assert common law causes of action, including negligence, breach of contract, and fraud, as well as statutory claims. The California Consumer Privacy Act and the Illinois Biometric Information Privacy Act are some statutes that have become a recent focus for plaintiffs' counsel in data breach litigation. Many healthcare organizations are facing legal scrutiny over alleged improper gathering and disclosure of PHI and other sensitive information via a web browser tracker called Meta Pixel and other session reply code programs, which are used to share and analyze data.

Given the sharp increase in security incidents impacting healthcare organizations in 2024, coupled with the litigation that will result from the Change Healthcare ransomware mega-attack, a proportionate increase in data breach litigation is expected in 2025.

Cyber Insurance Coverage for Healthcare Organizations

Cyber liability insurance policies provide first- and third-party protection to businesses if sensitive information is compromised. They cover the first-party costs (expenses that an organization incurs directly due to a cyber incident), such as the cost to investigate and respond to a breach. They also provide first-party coverage for other types of loss resulting from a cyber incident, such as business interruption loss, data recovery costs, reputational harm, and extortion demands. A cyber insurance policy also provides access to the carrier's panel of experienced and vetted cybersecurity providers who can quickly assist policyholders with investigating and responding to a data security incident.

Cyber insurance policies further provide liability coverage to policyholders for third-party lawsuits or regulatory proceedings against them arising from cyber incidents. Third-party liability coverage helps pay for damages (settlements and judgments) the policyholder is legally obligated to pay, as well as claim expenses (attorney's fees and court costs) to defend the policyholder against the claims.

Finally, many cyber insurance policies now also include some limited eCrime coverage. This coverage may include certain coverages typically found under a crime policy, such as social engineering, funds transfer fraud, or invoice manipulation coverage. It's evident that the costs of a cyber incident can be devastating to a business. Research has shown that healthcare has the most expensive data breach costs on average, at $11 million per incident in 2023, signifying a $1 million increase from the previous year's report and a 53% increase since 2020. (McKeon 2023)

Cyber insurance is the most effective mechanism available for businesses to cover financial losses due to a cyber incident. However, with an uptick in the severity of losses and a lack of historical data for pricing, cyber insurance carriers have started making significant changes to their underwriting practices to manage their increased exposure. Such changes include pursuing rate increases of up to 50% per year, doubling and tripling deductibles and retentions, reducing policy limits, using sublimits or coinsurance to manage ransomware exposure, and narrowing and tightening coverage wordings.

Carriers are also becoming increasingly disciplined in the risk selection process, requiring more data from applicants and scrutinizing their data protection controls and regulatory compliance. Supplemental applications addressing ransomware risks specifically are also becoming more common. Carriers are increasingly relying on security scans and attack surface monitoring to gain a better understanding of the organization's cybersecurity vulnerabilities. Some carriers also have non-renewed policies, where the organization cannot show that multifactor authentication has been implemented across the organization.

Conclusion

Healthcare organizations face growing and evolving cyber risks that threaten not only their bottom line and reputation but also critical services and patients' health and safety. There's no indication that these risks will abate at any time in the foreseeable future.

Just as the best defense is a good offense, healthcare organizations should invest in cybersecurity, such as endpoint monitoring and detection, as well as in segregated and segmented offline encrypted backups to reduce the average time to identify and respond to a breach and the potential cost of a breach. Employee training, particularly in relation to avoiding phishing emails, can be very effective in reducing the risk of a ransomware attack and also in protecting PHI. The cybersecurity framework outlined in the December 2023 HHS concept paper will help inform the healthcare sector on where to focus organizational efforts and resources for high-impact results.

Finally, cyber insurance, though it may be more costly and difficult to acquire than in previous years, is still an effective mechanism for managing an organization's cyber risk exposure and helping an organization respond more quickly and effectively to a data breach.