Nov 11, 2024
The cyberattack, reported on Feb. 21, knocked the UnitedHealth Group subsidiary offline, cutting off billions of dollars in payments to medical practices and jeopardizing sensitive information for millions of patients.
In an interview with NBC News, Rick Pollack, CEO of American Hospital Association, described the attack as the most serious incident of its kind leveled against a U.S. health care organization.
However, it was not an isolated incident.
An estimated 725 HIPAA data breaches occurred in 2023, according to the Health Sector Coordinating Council Cybersecurity Working Group, a coalition of health care providers, medical technology companies and other entities that work with the government to mitigate cyber threats to the health care system. Another 141 ransomware attacks struck hospitals, with an average ransom of $1.5 million per institution, according to the working group.
On May 8, the Ascension health care organization was struck by the same cybercriminals behind the Change Healthcare event. The attack disrupted Ascension’s 140 hospitals in at least 10 states for more than a month.
“It was a single individual who downloaded the wrong software on an email that set off this infiltration of ransomware,” Keith A. Bellovich, DO, chief medical officer at Ascension St. John Hospital in Detroit, told Healio I Nephrology News & Issues.
“It could happen anywhere; it could happen to any of us. Yes, we get frustrated with our IT teams for always trying to educate us. But we have to pay attention because this isn’t the end, Bellovich, who is a Healio I Nephrology News & Issues Editorial Advisory Board member, said.
The health care sector is ripe for attack because of the amount of money, sensitive data and personal information cybercriminals can steal and exploit, according to experts interviewed for this article.
“We have seen it in large health organizations, smaller health systems and in individual practices,” Margaret Lozovatsky, MD, FAMIA, AMA vice president of digital health innovations, said in an interview. “That just speaks to the fact that technology has become such an integral part of care delivery. Every area where we are providing clinical care has the potential to be impacted, and there’s a lot of vulnerabilities in those spaces.”
Everyone is a target Change Healthcare paid a $22 million ransom to the hacker to regain control of its system. However, the payment did not prevent myriad disruptions to providers and patients.
In a survey about of nearly 1,000 U.S. hospitals conducted by the American Hospital Association (AHA) on March 9-12, nearly all respondents (94%) reported financial impacts, with more than half characterizing these as “serious” or “significant.” Nearly 60% of respondents reported the impact to their revenue totaled $1 million or more per day.
“We haven’t even discussed the ongoing damage from records being released, Theresa Payton, CEO of Fortalice Solutions, a boutique cyber firm that serves the Fortune 100 and other large privately held firms, said in an interview. “Depending on what’s in these records, there could be information that could be used for extortion and blackmail.
One-third of all Americans — or more than 110 million people — could have had their personal data compromised in the Change Healthcare ransomware attack, UnitedHealth CEO Andrew Witty told Congress in May.
The success of the Change Healthcare attack appears to have prompted a new wave of similar threats.
“It is vitally important for organizations to prepare for this reality, ” Payton, who served as the White House chief information officer from 2006 to 2008, said. “When impacted by a cybercriminal syndicate — whether they take a system offline, lock files or steal data — organizations must focus on minimizing and mitigating damages. They need to ensure they can continue to function even while dealing with a cyber incident. It’s easier said than done, but it’s the crucial question every health care organization must address.”
Source: Healio