It’s no secret that hospitals and other health care organizations are among the top targets for cybercriminals.

The ransomware attacks this year on UnitedHealth Group’s Change Healthcare subsidiary, nonprofit organization Ascension, and most recently the National Health Service in England illustrate not only the damage to these organizations’ infrastructure and the personal health data that’s stolen, but also the devastating rippling effects throughout the industry, from postponed medical procedures to unfilled prescriptions to facilities shutting down.

But where are hospitals getting hit by cyberattacks the most? According to a survey by QR Code Generator – its name clearly illustrates what it does – in the United States, Connecticut is home to the highest rate of health data breaches, with 1.5 breaches per 100 health firms from 2009 through last month. That number was 71% above the national breach average of 0.88. The state, with 7,680 health firms within its borders, has had 115 such data breaches affecting 3.47 million individuals, or an average of 30,190 per breach.

More than half of those breaches – 52% – were the result of hacking or IT incidents, according to QR Code Generator.

The next four states were Indiana, with a rate of 1.44 breaches per 100 health firms, Rhode Island (1.39), Iowa (1.34), and Massachusetts (1.32). Rounding out the top 10 were West Virginia (1.31), Tennessee and Kentucky with 1.26 each, Minnesota (1.21), and New Mexico (1.2). Of the top 10, Massachusetts had the highest number of breaches with 181, with Indiana next at 159, Minnesota with 147, and Tennessee with 141. Rhode Island had the fewest, with 33.

Idaho had the lowest number of data breaches per 100 health care facilities, at 0.36. Others with the lowest numbers were Louisiana, with 0.45, Hawaii (0.59), and California (0.61). Both New Jersey and South Dakota were at 0.63, just below Florida’s 0.64.

Data is the Target

In an increasingly connected world, data is among the most valuable commodities, with essentially every industry deriving benefits from data-driven decision making, according to QR Code Generator CEO Marc Porcar.

“If data can be linked to an individual, this dramatically increases its potency, and a person’s healthcare data is potentially some of the most intimate and individualized data available,” Porcar said in a statement. “In the right hands, this data can massively increase positive outcomes for a patient, plus it allows healthcare organizations to work efficiently.”

That said, “data breaches can put individuals at risk of invasion of privacy, harassment, and identity theft. This is why it is so serious when there is a healthcare data breach,” he said.

Among the breaches looked at in the study, hacking and IT incidents were by far the most reported, standing at 3,305. The second most was unauthorized access at 1,414, followed by theft, at 1,016.

For its study, QR Code Generator drew the health data breach information from the U.S. Health and Human Services Department’s (HHS) Office for Civil Rights. In addition, it used the U.S. Census Bureau for information about the health firms, which were those whose industry classification would likely lead to them handling patient data.

Health Care Under Attack

The numbers dovetail with what’s being seen in the health care field by others. HHS has reported a 93% increase in large data breaches in the industry between 2018 and 2022, which includes a 278% jump in ransomware attacks.

Cybersecurity firm Arctic Wolf in a report in April said IBM found the average cost of a health care breach is $10.93 million and pointed to Verizon’s annual Data Breach Investigations Report that found that the industry saw more than 500 cyber incidents in 2023. Arctic Wolf said that in a survey of its customers, health care was the top industry targeted by ransomware gangs.

There are a number of reasons why health care organizations are attractive targets, from increased digitization and interconnected medical devices across multiple physical locations to the huge amounts of data and an inclination to pay a ransom because of regulatory pressures and the high cost of downtime.

Another key is the growing dark web marketplace for data and credentials.

“Threat actors know that if they steal data, they can release it or sell it on the dark web to other cybercriminals, who in turn can use that data to launch future cyber attacks,” Arctic Wolf wrote. “This could include social engineering attacks on the victims of the original breach or the use of stolen credentials to hack into other organizations and their applications.”

Mandate Debate

Health care organizations storage mountains of person data, with the cybersecurity firm noting that Change Healthcare is responsible for the insurance billing of a third of the United States, so they naturally become attractive and lucrative targets.

Pressure is growing on the health care industry to improve its cybersecurity capabilities. The American Hospital Association (AHA) has noted that organizations have spent billions of dollars bolster their capabilities and has pushed back at the idea of the federal government imposing mandates. That said, the Biden Administration is expected to issue cybersecurity standards for health care firms.