Medical records of 42MILLION Americans have been leaked since 2016 as cyberattacks on hospitals DOUBLED, report warns
- Millions of Americans’ medical info is being sold on the dark web every year
- There are more than 90 cyberattacks on healthcare providers each year now
- Leads to dangerous care disruptions, such as ambulance delays or canceled ops
Cybercriminals have accessed the medical records of more than 40million Americans since 2016 as the number of hacks on healthcare systems doubled.
Around half of the hacks caused dangerous care disruptions, such as ambulance delays, canceled operations and difficulties accessing digital prescriptions.
One in six IT breaches led to personal healthcare information being stolen and sold on the dark web, according to a report published today.
Researchers warned that the increased frequency and sophistication of cyberattacks on healthcare are threatening patient safety as well as privacy. They claim the US Government is failing to crack down on healthcare providers who fail to shore up their systems or report ransomware attacks fast enough.
Last month, DailyMail.com reported how a toddler in Iowa was accidentally given a megadose of opioids and ‘urgent’ cancer patients saw their surgeries delayed for a month after a multistate hospital IT system went down.
The number of cyberattacks on healthcare providers has more than doubled since 2016 – with 91 per year in 2021 compared to 43 five years ago
Up to 80 percent of hacks led to disruptions to operations – which lasted weeks
The latest analysis, by researchers from the University of Minnesota in Minneapolis, looked at 374 ransomware attacks across the US between January 2016 and December 2021.
Results showed that the frequency of the hacks more than doubled in that time — from 43 breaches in 2016 to 91 last year.
Cybercriminals also appear to be getting bolder, with the number of attacks on major organizations spanning multiple states increasing.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
Without access to patient records and other hospital programs, including drug dispensing systems, doctors and nurses are effectively treating patients in the dark.
Almost half (44 percent) of ransomware attacks disrupted the delivery of health care, with one in 10 leading to canceled appointments or operations and 4 percent causing ambulance diversions.
In total, the medical records of 41.9million Americans were accessed in that time, but hackers became much more adept at obtaining patient information.
In 2016, approximately 1.3 million records were accessed, compared to more than 16.5 million in 2021 — an 11-fold increase.
Across all 374 attacks, approximately one in 5 healthcare organizations were reportedly able to restore data from backups.
But for 16 percent of ransomware attacks, there was evidence that ransomware actors had made some or all of the stolen medical information public, usually by posting it on dark web forums.
Of the hacks over the past five years, 9 percent caused disruptions that lasted two or more weeks.
Yet the researchers say the actual number of cyberattacks ‘are likely underestimates due to underreporting’.
Guidance from the Department of Health and Human Services (HHS) states that healthcare providers must report a ransomware attack if more than 500 individuals are affected.
But the researchers warn there is confusion about whether hacks must be reported through official channels when they involve encryption, but not actual removal, of data from computer systems.
Writing in the repot, they said: ‘Additionally, current reporting requirements lack either an enforcement mechanism or a penalty for noncompliance.
‘Even when an entity reports an attack, there is no sanction for doing so outside of the legislated 60-day window, which may explain the high proportion (53.5 percent) of ransomware attacks with delayed reporting.
‘Rather than health care organizations self-correcting as ransomware attacks become more common, we found an increase over time in the share of attacks that were reported late.
‘Missing attacks and delayed reporting suggest opportunities for legislators who wish to strengthen data collection around cyberattacks, particularly ransomware, so as to shape an informed and well-targeted policy response.’