Sizing Up the Worst Healthcare Hacks of 2023

In many cases, the hacks triggered other types of serious fallout – most notably disruption to patient care delivery – as well as other consequences, including financial and reputational damage. Plus, nearly all major data breaches these days end up in court. And the bigger the hack, the more proposed class action lawsuits that get filed.

The Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool paints a picture of the immense mountain of patient records exposed by hacks in 2023.

The biggest of those incidents include a mix of entities – large healthcare delivery organizations, health plans, a pharmaceutical services company and a medical transcription firm.

Of the 653 major health data breaches posted to the HHS OCR website in 2023 as of Dec. 15, affecting more than 116.5 million individuals, 515 were reported as hacking incidents, affecting nearly 108 million individuals.

So while hacking incidents made up about 80% of those 2023 breaches, they accounted for nearly 93% of people whose information was compromised in major health data breaches reported to federal regulators so far this year.

10 Largest Health Data Breaches in 2023 Involving Hacks

Ransomware attacks by cybercriminals involving data exfiltration incidents soared in the healthcare sector in 2023. They included hacks on third-party software such as Progress Software’ MOVEit and Fortra’s GoAnywhere file transfer applications, resulting in thousands of victim entities globally across all sectors – and tens of millions of individuals – including in healthcare – having their information stolen.

As of Dec. 15, the largest MOVEit incident affecting the healthcare sector appears to have been reported by Welltok, a medical patient communication services provider that is part of Virgin Pulse. Welltok’s MOVEit breach has affected nearly 8.5 million individuals so far.

Another recent large healthcare sector breach involving the MOVEIt file transfer software vulnerability exploit was reported to Maine’s attorney general on Dec. 14 by Delta Dental.

The dental insurance provider said it is notifying nearly 7 million individuals that their PHI was affected by a June 1 hack on the MOVEit software used by Delta. As of Dec. 15, the Delta Dental MOVEit hack had not yet been posted on the HHS OCR website of major HIPAA breaches. But once it is added to the federal tally, it will undoubtedly land among the top 10 largest health data breaches in 2023.

The largest of all the MOVEit hacks so far across all industries – affecting 11 million individuals – was reported by U.S. government contractor Maximus, according to security firm Emsisoft.

The Maximus hack compromised the protected health information of about 2.8 million people and counting, according to the company’s breach report filed to HHS on Aug. 4. The Maximus hack also ranks among the top 10 largest health data breaches reported in 2023.

Specialty Hacks

Hacks on specialty services providers to the healthcare sector have also affected long lists of healthcare entity clients.

“The data breach at medical transcription company Perry Johnson & Associates was a particularly noteworthy incident in the healthcare sector,” said Ani Chaudhuri, co-founder and CEO of security firm Dasera.

The breach affected nearly 9 million patients nationwide, including more than 4 million New Yorkers who are patients of Northwell Health and Crouse Health.

“The PJ&A consequences were significant due to the potential for widespread identity theft,” Chaudhuri said. “Such incidents emphasize the vulnerability of healthcare institutions, even those not typically in the limelight, underlining the need for comprehensive cybersecurity strategies regardless of the organization’s size.”

Hacks on other specialty healthcare providers also affected large swaths of their patients. Those include a recent hacking breach reported by New York-based East River Medical Imaging that affected nearly 606,000 individuals.

“Specialty healthcare providers are viewed as low-hanging fruit, based on their inability to employ effective preventive controls such as user training and vulnerability management, as well as a lack of monitoring the network for signs that prevention has failed in order to mitigate the impact with a rapid response,” said Mike Hamilton, CISO and co-founder of security firm Critical Insight.

“Combined with the fact that the records held are just as valuable as those in larger institutions, smaller specialty providers are easy and lucrative targets.”

While some cybercriminal groups appear to be skipping data encryption in their ransomware attacks and going straight to data exfiltration, many of the incidents involving data encryption have had a dramatic impact on their victims.

These include attacks on hospital chains such as Prospect Medical and Ardent Health Services, which disrupted patient delivery services for weeks.

But, of course, this isn’t just an American problem. A ransomware attack in October on TransForm Shared Service Organization was still affecting its five hospital members in Ontario in December (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).

In that and many similar situations involving ransomware attacks on hospitals, patient treatments had to be postponed, canceled or shifted to other facilities that were not involved in the incident.

“There have been numerous reports and studies documenting how radiation and other crucial cancer treatments have been canceled or delayed because of cyberattacks,” Jon Moore, chief risk officer at privacy and security consultancy Clearwater, said. “We should not underestimate the profound impact this has on the well-being of these vulnerable patients.”

Similar attacks in Europe disrupted healthcare during the year. A July cyberattack against Swedish software and services vendor Ortivus severed access to digital health records for at least two National Health Service ambulance services in the United Kingdom. Paramedics had to resort to using pen and paper to manage patient information (see: Software Vendor Attack Slows Down 2 UK Ambulance Services).

Though rare, the lasting impact of ransomware attacks pushed some already financially strapped healthcare entities over the edge – or pretty close – in 2023. In June, rural Illinois medical system St. Margaret’s Health shut down permanently partly due to fallout from a 2021 ransomware incident.

Meanwhile, the planned sale of Prospect Medical’s Connecticut Health Systems – including three hospitals – to Yale New Haven Health is still in jeopardy due to worsening financial and other problems at the facilities in the aftermath of an August cyberattack on Prospect, according to local media outlet CT Mirror (see: Some Prospect Medical Hospitals in Dire State, Post-Attack).

Prospect Medical, which is based in California and operates 17 hospitals, reported the incident to federal regulators as a health data breach affecting about 342,400 individuals. So while that attack didn’t affect millions of patient records, as many other attacks did, the impact was just as significant for financial reasons.

A handful of hacks on healthcare entities have been especially sinister. One that stands out in particular was the cyber assault on Lehigh Valley Health Network, Moore said.

In that hack, BlackCat cybercriminals, frustrated by the lack of ransom payment from the health network, resorted to releasing sensitive medical photos of breast cancer treatment patients they had stolen from the health system (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).

“Beyond the breach itself, this deplorable act raises questions about the ethical boundaries of cybercriminals and the emotional toll it exacts on the affected patients and their families,” Moore said.

“As professionals in the healthcare industry, we sometimes become numb to the statistics and numbers associated with breaches and compromised records. However, these stories serve as poignant reminders of why the work we do is not just meaningful but vital,” he said.

“We must prioritize cybersecurity efforts not only to protect data but also to safeguard the lives and well-being of the patients and communities we serve. These personal stories are a testament to the significance and urgency of our mission in securing healthcare data and systems.”

Info stealer infections affecting employees’ personal and enterprise devices exploded in 2023, said Scott Small, director of cyberthreat intelligence at security firm Tidal Cyber.

In an attack in September on a French hospital in the city of Brest, he said, “Actors linked to the FIN12 group used valid credentials belonging to a healthcare professional to connect to an internet-exposed remote desktop service and gain backdoor access to the center’s network. The credentials were likely compromised via info-stealing malware.”

“FIN12 was responsible for multiple high-profile ransomware attacks on U.S. hospitals in 2020 but has widened its targeting since,” Small said. He added that the September attack demonstrates that healthcare remains a viable target for highly capable financially motivated actors including LockBit, Alphv/BlackCat and others.

Wishful Thinking

A small share of noteworthy attacks in 2023 appear to not have had the impact some hacker groups might have wished for.

They include a campaign early in 2023 in which the KillNet hacktivist group launched daily DDoS attacks against nearly 100 healthcare organizations, including pharmaceutical companies, hospitals and insurers (see: HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals).

“KillNet is one of several actor collectives behind coordinated denial-of-service attacks in recent months amid escalating conflict in the Middle East. These groups’ heightened activity levels and known historical impact on the healthcare sector means they should remain on defenders’ radars for the foreseeable future,” Small said.

Early warnings about the DDoS campaign from U.S. authorities and industry groups, including the American Hospital Association, helped to blunt the effect of the attacks on most hospitals (see: Cyber Fail: More Bumbling Cybercrooks, Avoidable Breaches).

Looking Ahead

In 2024, the healthcare sector needs to keep a watchful eye on other disturbing developments that started this year and will undoubtedly continue next year, some experts said.

There has been a notable surge in business email compromise attacks, some of which creatively extended to text messaging and voicemail, according to Moore.

While these incidents often escaped public attention due to a lack of reporting requirements, they posed a serious threat to healthcare entities. “These attacks typically involved the impersonation of senior executives, coercing staff members into initiating unauthorized wire transfers or disclosing sensitive data,” he said.

This trend underscores the adaptability of cybercriminals in exploiting various communication channels. “We are now getting anecdotal evidence of the use of AI and deepfake techniques to enhance these attacks,” Moore said.

The second developing trend involves the constant evolution of ransomware and its double and triple extortion flavors, according to Moore. “What’s noteworthy is the growing recognition within the industry of the direct impact these attacks have on patient care and patient outcomes” he said.

Hospitals, in particular, bore the brunt of these malicious campaigns. Some estimates put the number of hospitals affected by ransomware attacks this year to be around 300 hospitals, Moore said. “While there’s a positive aspect in the increasing acknowledgment of this issue, the downside is that these attacks continue to jeopardize patient well-being.”

Chaudhuri said he anticipates an increase in targeted phishing attacks exploiting human error in 2024. “Additionally, we might see increased attacks exploiting internet of medical things devices as these become more integrated into healthcare services,” he said. “Attackers are likely to exploit the interconnected nature of these devices, leading to more sophisticated breaches.”