Healthcare

Breach Report
July-Dec 2021
Security Research and

Data Analysis
 Healthcare breach report 2021, H2

Table of Contents
Overview 1
Who is Getting Breached? 5
What Are The Most Common Breach Causes? 8
How Are Heathcare Providers Targeted? 10
What You Can Do 13
Contributors 15

https://criticalinsight.com
© 2022 Critical Insight Inc.
 Healthcare breach report 2021, H2

Overview

As we enter the second year of Similarly, IT departments at

the pandemic, healthcare healthcare organizations are

systems are under facing critical skills and staffing

unprecedented and unrelenting shortages as they battle the

stress. Frontline healthcare latest cyberattack variants.

workers are understaffed and They’re stretched so thin dealing

overworked. Hospitals are so with pandemic-related crises that

overcrowded that they have routine security measures may

been forced to postpone fall by the wayside, breaches may

routine medical procedures go undetected for months, and

until the latest surge of efforts to validate the security

COVID-19 cases subsides. measures undertaken by affiliates

and third parties may fall short.

https://criticalinsight.com

© 2022 Critical Insight Inc.

1
 Healthcare breach report 2021, H2

Critical Insight’s latest analysis of security providers) in response to

breaches reported to the U.S. the surge in attacks that
Department of Health and occurred in 2020, when cyber-
Human Services by healthcare criminals ramped up their efforts
organizations shows that the to take advantage of
total number of breaches and the vulnerabilities that were exposed
total number of records of during the early, chaotic days of
protected health information the pandemic.

(PHI) that were exposed hit all-

time highs in 2021.

However, this is no time for

security teams at healthcare
The silver lining is that the organizations to let their guard
number of reported breaches down. Attackers are aiming at
and the number of individuals bigger targets. Exploits,
affected declined slightly over particularly ransomware, are
the second half of 2021, becoming more sophisticated.
compared with the first half of And cybercriminals are
the year. It’s too early to tell if expanding their activities to take
that modest improvement advantage of security
represents the beginning of a vulnerabilities across the
longer trend in the right direction.

healthcare supply chain, from

business partners to health plans
The results could indicate that to outpatient facilities.

security teams have done a good

job shoring up their defenses Healthcare breaches and the
(either internally or through individuals affected by them are
partnerships with managed on the rise year over year, with an
https://criticalinsight.com
© 2022 Critical Insight Inc.
2
 Healthcare breach report 2021, H2

84% increase in the total number has tripled over the same

of breaches between 2018 and period, from 14 million in 2018

2021. The total number of

to 45 million in 2021.

individuals affected

Total Breaches and Individuals Affected Over Time

Individual records affected

800 48M
Yearly reported breaches

600 36M

400 24M

200 12M

0 0

2018 2019 2020 2021

Individuals 14.14M 42.37M 34.03M 44.91M

Breaches 369 512 663 679

Key Findings

The total number of The total number of breaches

individuals affected increased only rose 2.4% from 2020 but

32% over 2020, meaning that still hit historic highs.

more records are exposed per

breach each year.

https://criticalinsight.com

© 2022 Critical Insight Inc.

3
 Healthcare breach report 2021, H2

While breaches have increased or may have been due to dwell

year over year, when we look at time, when the attackers were
half year totals we see that we inside the systems unnoticed.
may have begun a downward The number of individuals
trend after a spike in the second
affected follows the same trend
half of 2020. This spike may have along half years, declining from a
been due to healthcare spike of 26 million in the second
organizations being too busy to half of 2020, to 24 million in the
report during the first half of first half of 2021, to around 21
2020, when the pandemic first hit, million in the second half of 2021.
Total Breaches Reported by Half Year
400
393
368
300 311
278 270
200 234
185 184
100

0
H1 H2 H1 H2 H1 H2 H1 H2
2018 2019 2020 2021
Key Finding
Breaches have declined over periods, but are still higher than
the past two reporting pre-pandemic levels.

https://criticalinsight.com
© 2022 Critical Insight Inc.
4
 Healthcare breach report 2021, H2

Who is Getting Breached?

As we look at the increase in subsegments. Healthcare
healthcare breaches reported providers continue to be the
over recent years, it is important dominant entity who is breached,
to consider their targets, and but attacks on business
how breaches have changed
associates expose more records
over time in certain healthcare per breach than other entities.

https://criticalinsight.com
© 2022 Critical Insight Inc.
5
 Healthcare breach report 2021, H2

Breaches by Entity
100%
Healthcare Provider
Percent of total breaches

75%

50%

25% business

associate
health plan
0
2018 2019 2020 2021
Provider 273 397 515 493
Business 42 54 74 87
Associate
Health Plan 53 59 72 97
Other 1 2 2 2
Key Findings
Healthcare providers still Attacks against business
make up the majority of associates, or third party
successful attacks vendors, increased nearly
Attacks against health plans 18% from 2020.
jumped nearly 35% in 2021.
https://criticalinsight.com
© 2022 Critical Insight Inc.
6
 Healthcare breach report 2021, H2

2021 Breaches Involving Business Associates

healthcare provider

72.6% 61.5%
493 Breaches 27.6M records

12.8% 23.5%
87 Breaches BUsiness associate 10.5M records
14.3% health plan 15%
97 Breaches 6.7M records
A small percentage of other healthcare providers accounted for
2 breaches (0.3%) and 2,462 records.

Key Findings
Business associate breaches Business associate-related
have risen in frequency, and breaches accounted for
in 2021 involved far more nearly 13% of total breaches,
records per breach than other but almost one quarter of the
healthcare entity type. total individual records.

https://criticalinsight.com
© 2022 Critical Insight Inc.
7
 Healthcare breach report 2021, H2

What Are the Most Common Breach Causes?

Hacking/IT incidents are by far slightly in 2021, but theft, loss,
the most common breach type. and improper disposal stayed
They rose 9.9% between 2020 relatively low. These breach

and 2021, from 455 to 500 types can be prevented by

reported, which fortunately is a security training, and thus may
smaller increase than in previous indicate that entities are taking
years. Unauthorized access rose steps to protect their data.
2021 Total Breaches by Type

144
500 Unauthorized Access

/ disclosure

hacking / it incident
35
Theft, loss,

improper disposal
Key Finding
Hacking/IT incidents were were affected by breaches which
responsible for the majority 
 could indicate those records
of individual records that were sold on the Dark Web.
https://criticalinsight.com
© 2022 Critical Insight Inc.
8
 Healthcare breach report 2021, H2

Hacking Breaches by Healthcare Provider Microsegments

100%
30.0% 25.6% 36.6%
percent of hacking breaches

75%

34.2%
25.6%

22.3%

50%

44.4%
40.2% 41.1%

25%

2019 2020 2021

Clinic /
75 93 131
Outpatient

Hospital
64 124 80
Systems

Other 111 146 147

Key Finding

Hacking/IT incidents on Outpatient/specialty clinics

Healthcare providers are the have seen a 41% increase in

most common, both by hacking/IT incidents in the

breach type and entity. last year.

https://criticalinsight.com

© 2022 Critical Insight Inc.

9
 Healthcare breach report 2021, H2

How Are
Healthcare
Providers
Targeted?
“Since 2019, the healthcare being a favored tactic,” says the
sector has seen a shift from report, which broke down the
breaches caused by internal motives behind attacks as 91%
actors (either malicious or by financial, 5% fun, 4% espionage
mistake) to primarily external and 1% grudge.

actors. This is good news, as

no industry wants their Michael Hamilton, CISO at Critical

employees to be their primary Insight agrees that “we will see
threat actor,” according to the continuing ransomware attacks.”
2021 Verizon Data Breach But he also predicts that “efforts
Investigations Report.

by the federal government to

stop ransomware payment
“Financially motivated organized mechanisms, identify and
criminal groups continue to apprehend gang members, and
target this sector, with the disrupt their infrastructure will
deployment of ransomware show success.”

https://criticalinsight.com
© 2022 Critical Insight Inc.
10
 Healthcare breach report 2021, H2

In the meantime, healthcare 20/20 Eye Care Network

companies need to pay attention reported that 3.3 million patients

to all the other tricky ways that had their health information

attackers are getting their hands stolen after an Amazon Web

on PHI. Here are some recent Services cloud storage bucket

examples that show how difficult that was not properly configured

it is to protect against advanced and protected.

attack techniques.

CaptureRx provides third-party

administrative services to the

Accellion is a technology

healthcare industry. CaptureRx

provider that sells file transfer
was hit with a ransomware
appliances (FTA) that help
attack that exposed the records
companies move large email
of 2.42 million patients at
attachments. The ransomware
multiple healthcare organizations
group called Clop took advantage
including a hospital in New York,
of a vulnerability in the Accellion
a community health center in
gear to launch ransomware
Texas and a pharmacy chain in
attacks against hundreds of
the Midwest.
companies, primarily targeting

the healthcare sector. An

At St. Joseph's/Cander Health
estimated 3.5 million healthcare
System in Georgia, a
records were breached from
ransomware attack stole data
dozens of companies impacted
associated with 1.4M patients.
by the attack.
An investigation revealed that

https://criticalinsight.com

© 2022 Critical Insight Inc.

11
 Healthcare breach report 2021, H2

the hackers gained access to the organization is able to improve its

system more than six months own internal processes, protect its

before deploying the ransomware.

remote workers, keep patches up

to date, secure mobile devices

These examples highlight the and make sure cloud-based

challenges that healthcare systems are properly configured,

organizations face. Even if the that’s not enough.

https://criticalinsight.com

© 2022 Critical Insight Inc.

12
 Healthcare breach report 2021, H2

What You Can Do

Healthcare organizations must for reporting breaches? Is it

get their arms around third-party possible to contractually require

risk through a comprehensive incident reporting to business

risk management program. To associates?

begin with, organizations should

classify their business associates Additionally, healthcare

by level of risk based on the type organizations should be

of data that third parties are able constantly on guard for intrusions.

to access.

Security teams may feel that they

are overmatched, spending most

Organizations need to establish of their time putting out fires, but

procedures and processes Critical Insight can provide

associated with vetting third important services, such as

parties before granting them managed intrusion detection and

access to data.

response.

And, companies should be sure With this type of capability,

to emphasize security in any instead of an attacker slowly

business agreement with third bleeding data out of your

parties. Find out what types of organization over a period of

security policies they have in months, the attack is quickly

place for data protection. Have detected, and the bleeding is

they recently passed a security stopped. The next step is figuring

audit? What are their procedures

https://criticalinsight.com

© 2022 Critical Insight Inc.

13
 Healthcare breach report 2021, H2

out what went wrong and fixing vulnerability management and

whatever vulnerability existed.

cybersecurity risk assessments

so that healthcare organizations

Of course, in security and in can stay one step ahead of the

healthcare, prevention is always bad guys, and demonstrate

preferable to a cure. Critical compliance with regulatory

Insight offers penetration testing, requirements and standards of

incident readiness planning, practice.

https://criticalinsight.com

© 2022 Critical Insight Inc.

14
 Healthcare breach report 2021, H2

Contributors

John Delano

John has three decades of IT experience,

much of it in Healthcare as a CIO. He's

currently the Vice President of Ministry &

Support Services for CHRISTUS Health.

Michael Hamilton

Michael has more than 30 years’ experience

in Information Security, working in every

imaginable role. He’s a co-founder of Critical

Insight, its spokesperson, and CISO.

Trisha Lowe

Trisha has built a career around analyzing

data to improve businesses and the resulting

customer experience. She is currently the

Chief Experience Officer for Critical Insight,

previously running Business Analytics.

https://criticalinsight.com

© 2022 Critical Insight Inc.

15