December 2021 Data
The healthcare industry continues to face significant threats, with data breaches and ransomware attacks still leading the pack. While ransomware-attributed breaches declined compared to those in 2020, healthcare data breaches throughout 2021 continued to be reported at a rate of over 1 per day.
This is the first in a series of deeper dives into the healthcare industry’s cybersecurity incident data, supplied by the federal government and compiled on a monthly basis to highlight the numbers and costs across several metrics.
December 2021 Healthcare Breaches and Highlights
Organizations are required to report healthcare data breaches of Protected Health Information (PHI) to remain in compliance with HITECH and HIPAA standards. In 2021, over 550 organizations federally reported healthcare data breaches.
HIPAA states that a breach of 500 or more records must be reported. There is no distinction between protected and unprotected data.
Let’s take a look at the data from December.
National Overview
The top 6 ranked states for healthcare breaches for December 2021:
- Illinois: 11
- Florida: 11
- Indiana: 4
- Oklahoma: 4
- Arizona: 4
- Texas: 3
In top ranked Illinois, 4 of the 11 occurred on the same day from the same organization, all from hacking/ IT incidents.
Breaches by Type
The number of individuals affected increased by 99% or 965,000 to 4.8M, affecting 1.4% of the US populace (which as of August 2021 was reported at 333,156,663.)
We also see a decrease in the total cost by 65% in December, with a 82% decrease in average cost per organization.
General hacking/IT incidents rank most common by a large margin, followed by unauthorized access or disclosures in 2nd.
Average Cost Per Record
To put this into more granular terms, as if represented on a patient’s bill, the cost of data breaches per record stolen is increasing year over year:
- 2018: $408/record
- 2019: $429/record
- 2020: $499/record
Projected Costs
Jan 2021 numbers were influenced by the ZeroLogon vulnerability that was being exploited at the time. The same could be said about the numbers in December 2021 in light of the Log4j vulnerabilities.
Breaches By Entity and By Month
To look at the data in another way, let see how different types of healthcare entities were affected in December.
Total breaches in December 2021: 52
- Business Associates: 8
- Health Plan: 4
- Healthcare Clearing House: 0
- Healthcare Providers: 40
- 45.9% increase in the number of breaches in comparison to the previous month
- 49.0% decrease in the number of breaches in comparison to October 2021
Endpoint Location of Breaches
Which devices were more affected by data breaches in December?
73% of December’s breaches occurred within network servers. Network servers as a percentage of affected decreased by 3%.
The number of phishes equals the number of losses in paper/films which is the second biggest category of losses this month.
Conlusion
Overall, observations from the data presented is that healthcare in general still plays wack-a-mole when it comes to breaches. It’s often the case that they’re distracted while chasing the latest zero-day or are not able to properly identify a breach in their systems.
This is visualized by a spike of affected users after each major zero-day is announced and/or exploited. The issue could be addressed by risk management—a requirement of HIPAA—and proper patching.
Future reports
Check Innovate Cybersecurity’s Research Section for future breakdowns of security data, including more from regulated industries such as the healthcare sector.
