HIPAA Breach News

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

Posted by HIPAA Journal

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health.

In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware.

Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021.

Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has notified 27,390 of its plan members that they were affected by the attack and the same types of data have been compromised. The health plan has also stopped using Accellion and removed its data from its systems and offered plan members complimentary credit monitoring and identity theft protection services for 12 months.

Previously, the Ohio-based supermarket and pharmacy chain Kroger announced that it had been affected by the attack and the protected health information of 368,000 customers had been compromised. The University of Colorado and Southern Illinois University School of Medicine have also said they have been affected.

Lawsuits Filed Against Accellion and its Customers

Multiple lawsuits have now been filed against Accellion and its customers over the breach. Centene Corp. has filed a lawsuit against Accellion alleging it refused to comply with several provisions of its business associate agreement (BAA). The cyberattack resulted in the theft of the protected health information of “a significant number” of its health plan members. Centene believes it will suffer significant costs as a result of the breach and has requested the courts order Accellion to comply with the terms of its BAA and cover all breach-related expenses. Cenene said in the lawsuit that 9 gigabytes of its data was obtained by the attackers.

A federal lawsuit has also been filed against Kroger over the breach. The lawsuit, which seeks class action status, alleges Kroger was negligent and was fully aware of the potential security issues with the legacy file transfer solution, yet failed to upgrade to a more secure solution even after being encouraged to do so by Accellion. Kroger offered its customers 2-years of credit monitoring and identity theft protection services; however, since names, addresses, dates of birth, medical information and Social Security numbers were compromised, 2 years is not viewed as anywhere close to sufficient to protect kroger customers from identity theft and fraud.

The post More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed appeared first on HIPAA Journal.

PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack

Posted by HIPAA Journal

On January 12, 2021, Denver-based Colorado Retina Associates discovered the email account of one of its employees had been accessed by an unauthorized individual who used it to send phishing emails to individuals in the employee’s contact list. The email account was immediately secured and a cybersecurity firm was engaged to investigate the incident to determine the extent of the breach.

That investigation concluded on February 24, 2021 and revealed other email accounts had also been compromised, two of which contained patients’ protected health information. The nature of the attack meant that between January 6, 2021 and January 17, 2021, synching may have occurred. That means the contents of the email accounts may have been copied to the attacker’s device.

A comprehensive review of the email accounts was performed which revealed the protected health information of 26,609 individuals was stored in the accounts. The types of PHI varied from individual to individual may have included full names, date of birth, home addresses, phone numbers, email addresses, dates of service, diagnoses and conditions, labs and diagnostic studies, medications, other treatment or procedure information, and certain health insurance, claims, billing, and payment information.

Fewer than 3% of affected individuals had their Social Security exposed, and fewer than 0.2% of individuals had their driver’s license, financial account, or payment card information exposed.

A password reset was performed across the entire email system and changes have been made to how authorized individuals access email accounts. Security awareness has also been reinforced across the entire workforce.

Affected individuals have now been notified and have been offered 12 months of identity theft protection services.

Walmart Discovers PHI of 2,067 Customers Potentially Compromised in Vendor Breach

On February 16, 2021, Walmart was notified by one of its suppliers about a security incident that may have involved the protected health information of Walmart customers.

The supplier used a data hosting service which was compromised on January 20, 2021. The attackers stole records related to 2,067 Walmart pharmacy customers which included information such as names, dates of birth, addresses, telephone numbers, medication information, prescription numbers, prescriber information, prescription dates, and a very small number of health insurance subscriber ID numbers.

The supplier said it immediately stopped using the data hosting service once it became aware of the breach. Walmart said it is reviewing the security practices of its supplier and will be monitoring the circumstances surrounding the data security event.

The post PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised

Posted by HIPAA Journal

The Portland, OR-based technology and communication solution provider Metro Presort suffered a ransomware attack on May 6, 2019 which resulted in the encryption of files and locked staff out of its systems. The ransomware attack was promptly identified and was contained by May 15, 2019 and the company was able to recover from the attack relatively quickly. An investigation into the attack found no evidence to suggest files were removed from its system, and since the company already encrypted customer data, the attackers would not have been able to access any sensitive information.

In October 2020, Metro Presort reinvestigated the attack and the secondary investigation was unable to confirm that files containing customer data were definitely encrypted before the attack. The invoices, statements, and spreadsheets that Metro presort processed for clients, including healthcare organizations, could potentially have been accessed. An analysis of those files confirmed they contained patient names, addresses, dates of birth, patient and health plan IDs or account numbers, appointment dates, treatment dates, and diagnoses and treatment codes, according to a substitute breach notice published on the Metro Presort website on November 24, 2020.

The incident has recently appeared on the HHS’ Office for Civil Rights website stating the PHI of up to 38,387 individuals may have been compromised. Metro Presort explained in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated the breach, Metro Presort’s response, and its policies and procedures, and closed the case on December 31, 2020 after confirming no HIPAA violations had occurred.

“Both before and since this incident, MPI and has devoted considerable resources to maintaining and enhancing its data security, including implementation of the latest technical safeguards to prevent similar incidents, additional protections (encryption) of customer files, and security audits,” explained Metro Presort in its breach notice.

The post Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised appeared first on HIPAA Journal.

Ransomware Gangs Claim Three More Healthcare Victims

Posted by HIPAA Journal

PeakTPA, a St. Louis, MO-based provider of health plan management and back-office services, has announced it suffered a cyberattack on or around December 28, 2020 in which protected health information was stolen.

The security incident was detected on December 31 and involved two cloud servers used by the company to manage program of all-inclusive care for the Elderly (PACE) claims.  According to the breach report submitted to the HHS’ Office for Civil Rights, the PHI of up to 50,000 individuals was stolen or exposed.

An investigation into the attack confirmed the attackers obtained full names, home addresses, dates of birth, Social Security numbers, PACE program IDs, and diagnosis and treatment information.

Affected individuals have been notified and offered complimentary membership to credit monitoring, fraud consultation, and identity theft restoration services via Kroll.

St. Bernard’s Total Life Healthcare, Inc., which provides PACE in Northeast Arkansas, and Rocky Mountain Health Care Services in Colorado Springs have confirmed that their patients have been impacted by the attack.

92,000 Individuals Affected by Preferred Home Care of New York Ransomware Attack

Preferred Home Care of New York, a Brooklyn, NY-based provider of in-home care services, experienced a ransomware attack on January 8, 2020 in which patient data was stolen. The attack was detected the following day. According to databreaches.net, samples of data stolen in the attack were uploaded to the Sodinokibi (REvil) data leak site in January.

External counsel for Preferred Home Care of New York explained in a data breach notification that the types of data obtained by the gang varied from individual to individual and may have included names, addresses, email addresses, phone numbers, dates of birth, financial information such as bank account numbers, Social Security numbers and medical information related to health assessments, physicals, drug screens, vaccinations, and TB tests, as well as FMLA and worker’s compensation claims.

92,283 individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to breach victims.

Newberry County Memorial Hospital Suffers Ransomware Attack

Newberry County Memorial Hospital in South Carolina has announced it suffered a ransomware attack in February that took certain servers out of action, forcing the hospital to switch to manual procedures while the attack was mitigated. The hospital had a full backup of its data and systems and was able to restore all encrypted data without paying the ransom.

The investigation into the attack is ongoing and no evidence has been found of unauthorized data access or data exfiltration to date. The hospital has since taken steps to improve security to prevent similar attacks in the future.

The post Ransomware Gangs Claim Three More Healthcare Victims appeared first on HIPAA Journal.

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

Posted by HIPAA Journal

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of 21 million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities.

From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with the Indiana and Texas AGs also participating in the bankruptcy proceedings to ensure that the investigation continued, and the personal and protected health information of breach victims was protected. AMCA received permission from the bankruptcy court to settle the multistate action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security deficiencies contributed to the cause of the breach and despite AMCA receiving warnings from banks that processed AMCA payments about fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will be distributed pro rata between the affected states; however, due to the financial position of the company, the $21 million financial penalty has been suspended. That payment will only need to be made if AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia also joined the settlement.

The post Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation appeared first on HIPAA Journal.

Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals

Posted by HIPAA Journal

Premier Diagnostics, a Utah-based COVID-19 testing service, has inadvertently exposed the protected health information of tens of thousands of individuals.

Two Exposed Amazon S3 buckets were discovered by Bob Diachenko of Comparitech on February 22, 2021. It was not initially clear who owned the data, which related to patients from Utah, Nevada, and Colorado. The S3 buckets were eventually traced to Premier Diagnostics.

The S3 buckets contained two databases, one of which included around 200,000 images of scans of ID cards such as driver’s licenses, passports, state ID cards, medical insurance cards, and other IDs documents. The databases had been indexed by search engines and could be accessed over the Internet without a password.

Premier Diagnostics was determined to be the probable owner of the data on February 25, 2020 and attempts were made to contact the company. Contact was finally made on March 1, 2021 and the databases were secured the same day.

It is unclear whether the databases were found and downloaded by any individuals other then Diachenko in the week or more that the databases were accessible over the Internet. Premier Diagnostics confirmed to Comparitech that each individual had four scans: Two scans of a health insurance card and two scans of an ID document, so the IDs and insurance information of approximately 52,000 individuals were exposed. The ID cards included an individual’s name, age, address, gender, ID number, and their photo.

The second exposed Amazon S3 bucket contained a database that included the names, dates of birth, and test sample IDs from individuals who underwent a COVID-19 test, although the database did not include the test result. “Each of the 3,645 items in the bucket is a scanned table with dozens of patients,” explained Comparitech.

Nefilim Ransomware Gang Publishes Data Stolen from Atlanta Allergy & Asthma

Databreaches.net has reported Atlanta Allergy & Asthma in Georgia is one of the latest victims of the Nefilim ransomware gang, which recently published sensitive data on its dark web leak site that was stolen prior to the encryption of files. A 1.3 GB compressed archive was uploaded to the leak site that contained 597 files containing 2.5 GB of data.

The dumped data is a sample of an alleged 19GB of data stolen in the attack, with the Nefilim actors threatening to publish the remaining data if the ransom is not paid. The published data includes billing documents and patient audits that include highly sensitive personal, medical, and insurance information.

The incident has yet to appear on the HHS’ Office for Civil Rights website and the breach does not appear to have been announced by Atlanta Allergy & Asthma so it is currently unclear how many individuals have been affected.

Ransomware Gang Demanded $1.75 Million Payment from Allergy Partners of Western North Carolina

The Federal Bureau of Investigation (FBI) is investigating a February 23, 2021 ransomware attack on Allergy Partners of Western North Carolina that took its IT systems out of action for several days. As a result of the attack, the allergy center was unable to provide allergy shots to patients at its offices in Asheville and Arden. Normal services for patients resumed on March 1 at most of its locations.

According to a report filed with the police department, the attackers demand a ransom payment of $1.75 million for the keys to decrypt files.  Its IT department has been working round the clock to restore files and systems and third-party cybersecurity firms have been engaged to investigate the breach and determine if patient information was accessed or obtained by the attackers.

The post Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals appeared first on HIPAA Journal.

New London Hospital Data Breach Affects Almost 35,000 Patients

Posted by HIPAA Journal

New London Hospital in central New Hampshire has discovered an unauthorized individual gained access to a file on its network in July 2020 and may have obtained the protected health information of 34,878 patients. A third-party cybersecurity firm was engaged to assist with the investigation and determined on February 16, 2021 that the file was accessed for a short period and may have been copied.

The file contained patient names, limited demographic information, and Social Security numbers; however, no diagnosis, treatment, or hospitalization information was compromised. New London Hospital is unaware of any misuse of information contained in the file. The network system on which the file was stored is no longer used by the hospital.

Additional safeguards have now been implemented to prevent similar breaches in the future. All patients have been notified and offered complimentary credit monitoring and identity theft protection services.

Child Focus Reports Malware Infection and 2,700-Record Data Breach

Child Focus, a Cincinnati, OH-based nonprofit that provides support to children and their families through early learning, behavioral health and foster care programs, has announced its systems have been hacked and malware deployed, which may have allowed the hackers to access sensitive patient information.

After discovering a potential breach of its core IT systems, third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the breach. The electronic health record system and application database were not affected; however, Child Focus was informed on January 5, 2021 that the attackers may have been able to view the protected health information of 2,716 individuals, including names, dates of birth, Social Security numbers, health and treatment-related information, and state Medicaid numbers.

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. Child Focus has also taken steps to improve system security, including implementing enhanced controls for remote access to its systems and advanced endpoint detection and response software on all endpoints and workstations.

Orlando Health South Lake Hospital Loses Logs Books Containing PHI of 1,623 Patients

Orlando Health South Lake Hospital has discovered logbooks used for recording patients’ hospital visits have been lost or stolen. The logbooks were discovered to be missing between December 24 and December 28, 2020. An extensive search was conducted, but the logbooks could not be located.

Hospital staff used the logbooks for recording information about obstetrics patients which included information such as patient names, dates of birth, medical record numbers, hospital account numbers, dates of service, attending physician, chief complaint, and/or internal hospital service codes. The data related to 1,673 patients who received care between April 20, 2019 and December 23, 2020.

The logbooks were kept in an area of the hospital that was not open to the public, so the hospital does not believe the logbooks have left the facility. Internal policies and procedures are being reviewed and will be revised, as necessary, to improve information security and the hospital is considering other more secure methods of recording patient data.

The post New London Hospital Data Breach Affects Almost 35,000 Patients appeared first on HIPAA Journal.

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Posted by HIPAA Journal

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations.

The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks.

These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data.

Healthcare ransomware attacks cripple IT systems, prevent patient medical records from being accessed, cause disruption to patient care, and put patient safety at risk. Recovering data and restoring systems can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime. In 2020, the ransomware attack on the University of Vermont Health Network was costing $1.5 million a day in recovery costs and lost revenue.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech recently conducted a study to identify the true cost of ransomware attacks on US healthcare organizations. The researchers gathered information on all ransomware attacks reported to the US Department of Health and Human Services’ Office for Civil Rights since 2016, as well as attacks reported through media outlets but were not made public by OCR as they affected fewer than 500 individuals.

Calculating the true cost of healthcare ransomware attacks is difficult, as only limited data is made public. Ransoms may be paid, but the amounts are often not disclosed and attacks that affect fewer than 500 individuals are often not made public.

The researchers identified 92 healthcare ransomware attacks in 2020, including the attack on Blackbaud. More than 600 separate hospitals, clinics, and other healthcare facilities were affected by those attacks, with a further 100 affected by the attack on Blackbaud. Those attacks involved the theft or exposure of the protected health information of at least 18,069,012 patients.

Ransom demands were issued ranging from $300,000 to $1.14 million, with data from Coveware indicating an average ransom demand of $169,446 in 2020. $15.6 million in ransoms were demanded from healthcare organizations in the United States in 2020, and $2,112,744 is known to have been paid to ransomware gangs in 2020. The true figure is substantially higher as many ransoms were paid but the amounts were not publicly disclosed.

In addition to the ransom payment there is the cost of downtime, which in some cases can be weeks or months following the attack. Coveware research indicates the average downtime ranged from 15 days in Q1, 2020 to 21 days in Q4, 2020. The Comparitech researchers determined the total downtime from the attacks in 2020 was likely to be 1,669 days. Using a 2017 estimate of the cost of downtime of $8,662 per minute, the researchers determined the attacks cost at least $20.8 billion in 2020, which is more than double the estimated cost of ransomware attacks in 2019 ($8.46 billion).

The researchers identified 270 healthcare ransomware attacks in the United States between January 2016 and December 2020, which affected around 2,100 hospitals, clinics, and other healthcare facilities. The attacks resulted in the theft or encryption of the records of more than 25 million individuals, with the overall cost to the healthcare industry estimated to be $31 billion.

 

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

You can view the full findings from the Comparitech healthcare ransomware study on this link.

The post Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion appeared first on HIPAA Journal.