Recent data breaches at Wichita medical offices highlight the threats that health care providers and regulators face amid the growth of cybercrime directed at the medical industry.
by Suzanne King
Takeaways:
- Ransomware and other data breaches pose a huge problem in health care, affecting 88 million Americans in the first 10 months of 2023.
- An industry trade group said hospitals hit with attacks pay up about a third of the time.
- Medical providers in Wichita are among the victims. Wichita Urology Group and Kansas Joint & Spine Specialists recently reported data breaches.
Since December, at least two Wichita medical practices joined a growing and unwelcome trend in health care: They got hacked and had to tell patients that their personal medical and financial information was in the hands of cybercriminals.
In early December, Wichita Urology Group said more than 5,000 people may have been affected by a breach — the second in a year to hit the medical practice. At the beginning of 2023, Wichita Urology announced that hackers had stolen the names, addresses, birthdates, Social Security numbers, medication information and financial information of almost 1,500 patients.
Then this week, Kansas Joint and Spine Specialists in Wichita reported a “cybersecurity incident” that happened in June, which may have affected patients and employees. It is unknown how many people’s data was compromised, but the Texas attorney general said it involved almost 400 victims from that state.
Data breaches threaten to spill your most intimate medical secrets and financial information onto the internet. They happen when hackers get into a computer network and steal information. Increasingly, the attacks involve ransomware, which are the most common form of cyberattack.
Criminals, often in other countries, find their way into a computer network and take control of it. Then they vow to expose sensitive health and financial data and disrupt business operations. Sometimes the attackers also go after patients individually, experts said.
Ransomware attacks increased by 278% between 2019 and 2023. All health care data breaches combined touched 88 million Americans in the first 10 months of 2023 alone, according to the U.S. Department of Health and Human Services Office of Civil Rights.
In 2016, Wichita’s Kansas Heart Hospital was hit with a ransomware attack and ended up paying the ransom hackers demanded.
For the most part, hospitals won’t talk about the threat. They believe doing so can suggest vulnerability and invite more attacks. But a leading hospital trade group says that what happened at Kansas Heart Hospital eight years ago isn’t unusual. At least a third of the time, said John Riggi, national adviser for cybersecurity and risk with the American Hospital Association, hospitals pay a ransom.
“We hope that they don’t,” he said, “but in certain instances they are forced to pay. They are paying under duress.”
While ransomware attacks are common across many industries, they pose a particular danger in health care. Patients’ privacy and lives are on the line.
A recent study from researchers at the University of Minnesota found that attacks significantly decreased hospital admissions and revenue, but drove up deaths among patients who were already admitted when the attack happened.
Regulators and industry groups like the AHA strongly discourage ransom payments because they are believed to encourage future attacks, but sometimes hospitals decide the urgency of their mission outweighs the financial cost.
Other than to say they are working with law enforcement and outside security consultants, most hospitals and medical practices hit with ransomware attacks or data breaches aren’t disclosing how they responded to attackers’ demands.
But even if the attacks aren’t being publicly discussed, it’s clear they are happening nearly every day. One industry survey last year of 3,000 health care organizations in 14 countries found that 60% had been hit.
In recent months, Kansas organizations reporting a hacking incident on the Office of Civil Rights Breach Portal include the Dickinson County Health Department, Community Memorial Healthcare in Marysville, CKF Addiction Treatment, Psychiatry Associates of Kansas City and the specialty infusion company Amerita.
A few days before Christmas, Liberty Hospital in Liberty, Missouri, announced it was experiencing a “communications systems outage.” KMBC News reported that the hospital had received this message from hackers: “We have hacked you and downloaded all confidential data of your company. And it can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. We’re the ones who can quickly recover your systems. Starting from now, you have 72 hours to contact us.”
The incident, which the hospital later called a “cybersecurity incident,” forced the hospital to cancel appointments, curb emergency room operations and transport patients to other Kansas City area hospitals. It is still unclear what information was exposed or if the hospital paid off the attackers.
In November, the University of Kansas Health System St. Francis campus in Topeka was also a target of a ransomware attack that forced the hospital to disable its patient chart portals for almost a month, only restoring full service Jan. 9. The hospital said it is still investigating how much patient information was compromised.
And on Jan. 3, North Kansas City Hospital in North Kansas City, Missouri, reported a “hacking/IT incident” to the Office of Civil Rights that may have affected more than 500,000 people. The incident, which involved a hospital vendor, occurred between March 27 and May 2.
“The breaches that involve health care — private health information — are probably the most disturbing,” said Teresa Murray, consumer watchdog director with the Public Interest Research Group. “You can’t put that toothpaste back in the tube.”
Maureen M. Brady, a Kansas City, Missouri, lawyer who specializes in representing victims of medical data breach incidents, said her clients are facing serious loss. Medical data breaches, she said, are far worse than financial data breaches.
“You can change your credit card information,” she said. “You can change your bank account information. But you can’t change who you are. You cannot change how you were born. You can’t change your medical condition. And those are things, once lost, cannot be regained.”
Hospitals need to improve training for employees who are handling personal health data and put systems in place to prevent the loss in the first place, Brady said. That is part of what consumers are paying for.
“It’s not three grand to turn on the machine,” she said. “It’s three grand to keep the lights on and train the staff and buy computers. And part of that is privacy.”
Hospitals increasingly depend on a network of computer systems to store patient health records, power imaging equipment and dispense medication. When hackers get into health care networks, they can expose personal information and financial data in a single pounce.
Murray said hospitals and health care providers should tell patients about any data breach immediately so they can be on guard for potential scams. That isn’t happening often enough, she said. If patients are notified in January of an attack that happened at the end of November, the damage may already be done.
“How many emails, phone calls, text messages have they gotten in the last seven weeks?” she said.
Scams often work like this: Criminals get details about your health care history. When they call or text pretending to be your doctor’s office, for example, they can mention those things and verify your personal details, so you may be convinced they are, in fact, your doctor calling to remind you of an appointment or confirm an upcoming test. Instead, they are tricking you into giving them a credit card number or a verification code that will unlock an online account.
As soon as you engage or hand over information, you’ve opened yourself to fraud, Murray said. If you get an unexpected call from a health care provider, hang up and call back yourself to the number you know is legitimate, she said.
“If you call your doctor at 9 o’clock this morning for something and they call you back 15 minutes later, you’re probably OK,” she said. “But (avoid) any call that’s unexpected. Anything.”
Murray said patients can help protect themselves by being sure the password they use on health care portals or websites is unique and not used elsewhere. And they should activate two-factor authentication, which requires a password and a unique code for access.
The volume of ransomware attacks is increasing because hospitals and other health care organizations rely more heavily on technology, experts said. For the most part, health records are now digital, including financial information. Hospitals, medical offices and labs share information across the internet. Even getting a CT scan or a dose of medication requires the network.
Riggi of the AHA said ransomware attacks posed a problem before COVID shut down the world in 2020, but the pandemic tempted even more hackers. Suddenly, hospitals were sending legions of administrative employees off to work from home through untested and sometimes less-than-secure cloud-based systems and devices.
“All of this created what we call an expanded digital attack surface,” Riggi said, “meaning there were many more entry points and many more potential vulnerabilities.”
Riggi described an extensive dark economy made up of hacking groups in places like Russia, China, North Korea and Iran — where political regimes provide safe harbor to cyber gangs.
“The bad guys have become very good and very proficient at conducting attacks,” Riggi said. “They share information on the dark web, they cooperate with each other. An entire industry for hacking and conducting ransomware attacks has developed.”
Riggi said it’s almost impossible for hospitals to avoid attack.
“We always say the risk can never be eliminated 100%,” he said. “The best we can hope to do is to mitigate it down to as low as possible, because not even the federal government is immune.”
Last summer the Centers for Medicare and Medicaid Services experienced a data breach that affected more than 600,000 beneficiaries.
Jennifer Watts, chief emergency management director at Children’s Mercy Hospital in Kansas City, Missouri, said the hospital regularly conducts downtime drills, so providers — many of whom have never worked in an era of paper charts — know how to manage if the technology isn’t working.
“When it hits, it is extremely impactful, so we prepare as best that we can,” she said. “But no matter how much you prepare, if an event like that’s going to happen, it’s going to have an impact. What we hope, though, is (to) mitigate as much impact as possible.”
Despite the risks, digital technology has improved care available to patients.
Children’s Mercy last year launched a central technology hub that uses a NASA-like control center, powered by artificial intelligence and predictive analytics, to monitor everything from patient care to hospital bed availability. Watts, who also leads that effort, known as the Patient Progression Hub, said the technology has already helped drastically reduce discharge wait times and it helped the hospital better prepare for this year’s surge of respiratory viruses.
Protecting health care’s technology infrastructure from criminals should be a government priority. The problem is far too complex for hospitals to handle alone.
In an effort to respond, federal lawmakers have established the Joint Ransomware Taskforce to coordinate the government’s efforts to deal with the growing problem. The Biden administration has focused on implementing minimum cybersecurity practices for industries that operate parts of the country’s critical infrastructure — including hospitals. It is also working with other countries to establish best practices for handling ransomware attacks, and the U.S. is promising to step up pressure on the countries sheltering cybercriminals.
“If a disruptive attack happens from a country, even if it’s done by a criminal for purely financial reasons, the country needs to take accountability, arrest that individual, for example, or prevent it happening in the first place,” Anne Neuberger, President Joe Biden’s adviser for cyber and emerging technology, said at an October forum.
In the meantime, ransomware attacks cost the global economy $8.7 trillion in 2022, Neuberger said.
That may be the biggest reason the number of ransomware attacks continues to rise. The hackers are making money.
Even though experts advise against it, saying it may not even work, many victims decide to pay up to get their data back. For hospitals, that can look like hundreds of thousands to millions of dollars. Hospitals may have insurance to cover some of the cost, but that rarely pays the whole bill.
“Generally the cost of a ransomware attack, including the ransom payment, technical remediation, forensics, credit monitoring, legal, regulatory and potential civil liability far exceeds the insurance coverage,” Riggi said. “It ends up impacting the financials in a very negative way for hospitals.”