The healthcare industry just can’t catch a break. Ascension Healthcare was recently plagued by ransomware, causing significant disruptions to services. Now, United Healthcare and Kaiser Permanente have also fallen victim to cybercriminals as well. With such massive organizations, there is no question that they have security in place.
It begs the question, how could they become victims?
It’s not that the security in these healthcare organizations is terrible; it’s that cybercriminals are using increasingly sophisticated cyberattacks, targeting the healthcare sector due to the high value of protected health information (PHI). There is a definitive value proposition here. PHI is immensely valuable because it includes sensitive data they can exploit for identity theft, fraud, and other malicious activities. Which means attackers have a substantial financial incentive to pull out all the stops in an attack, thinking up creative ways to get at this data. Plus, with the help of tools such as Generative AI, their creativity has become automated.
These breaches have victims, though. Just for starters, data breaches result in severe regulatory and financial consequences for healthcare providers. Regulatory bodies may impose hefty fines for non-compliance with data protection laws like HIPAA. At the same time, financial repercussions may include direct loss from ransom payments, legal fees, and long-term reputational damage, leading to lost revenue.
However, the damage is more than financial, as breaches can disrupt patient care. In the past, they have been linked to organizations halting elective procedures and even diverting ambulances to other facilities. These incidents undermine patient trust, which is crucial for effective care and their willingness to seek future treatment with a healthcare organization. As you can see, the problems snowball, and sometimes never come to a halt.
One of the latest giants to fall victim to a cyberattack is UnitedHealthcare (UHC). This behemoth fell to a vulnerability in their Citrix software, enabling unauthorized access to their systems. The AlphV/BlackCat group capitalized on this weakness, demanding a $22 million ransom to mitigate the risks and restore access. However, UHC did precisely the opposite of all the guidance suggested and paid the ransom. Of course, because of this, they discovered a hard lesson about trusting criminals, finding out that those who ran the service stole the cash in this ransomware as a service (RaaS) attack. This left the criminals using the service, who had the key, quite angry and prompted them to demand another ransom because they never got paid.
UHC was in a hurry to pay as the breach significantly impacted healthcare operations across the United States, disrupting medical claim processing and patient services. Ultimately, it is estimated that this attack will cost UHC almost $1.6 Billion to resolve, which includes the reported $872 million they have spent so far. Much of that will include HIPAA-related fines and penalties for failures to protect patient data.
Kaiser Permanente, a well-known US healthcare consortium, was also a target for cybercriminals. They misused tracking technologies hosted on Kaiser websites and mobile applications, inadvertently sharing sensitive user data of 13.4 million users with third-party advertisers, including Google and Microsoft. The information disclosed encompassed IP addresses, names, user interactions, and search terms.
Kaiser reacted swiftly, removing the problematic tracking codes and strengthening its data privacy protocols to prevent future incidents. However, this still came at a cost: damaging the public perception of its data safety.
When looking at these attacks objectively, it is essential to note that despite having different vectors and outcomes, cybercriminals were targeting sensitive data.
UHC was compromised through a targeted ransomware attack that exploited system vulnerabilities. This breach led to significant disruptions in healthcare operations and exposed highly sensitive health information. In contrast, Kaiser Permanente’s breach resulted from inadvertent data exposure through third-party trackers, involving less sensitive data like user interactions and search histories.
These attacks targeted different data types. UHC lost PHI, which is sensitive patient data, while Kaiser lost PII (personally identifiable information), which still can be damaging to patients and used for fraud.
The long-term implications for UHC are severe, with significant financial and reputational damage, whereas Kaiser’s main challenges are rebuilding trust and strengthening privacy practices. Not to mention, the possibility for a future attack remains. The reason for this all stems back to the volume and variety of sensitive data compromised in the attacks.
With the wide range of cyber threats, organizations need more than a single solution to protect their data’s privacy. From hidden malware to ransomware and accidental data exposure, one solution is not enough to hold back threat actors. It takes a multifaceted selection of cybersecurity controls to create a baseline, and advanced systems to monitor and detect sensitive data while it’s in motion and ensure it ends up where it belongs.
In healthcare, protecting sensitive data requires tools that focus on the data first, such as Data Detection & Response (DDR). DDR is capable of using many techniques to protect sensitive information from reaching the wrong hands, including anonymization, tokenization, and masking. Each of these transform sensitive data into formats that unauthorized users cannot exploit, maintaining its utility for legitimate analytical purposes. Data masking is also employed to obscure the original data with random characters, ensuring it remains secure yet functional for non-critical applications.
Going beyond the static solutions of the past, as well as those that are reactionary-only and leave teams scrambling to plug gaps and remove threats, DDR solves all this through real-time monitoring and response capabilities. By tackling threats and privacy risks in-motion, this allows for immediate detection and reaction to unauthorized access attempts. This seamless integration with existing security measures enhances overall data protection and ensures compliance with stringent regulatory standards for protecting patient information.
It begs the question, why not stop threats and privacy risks before they ever have a chance to infiltrate and damage your organization?
In the healthcare sector, the margin for error in data security is nonexistent. Votiro Zero Trust DDR equips healthcare providers to ensure real-time privacy and compliance for sensitive data.
Votiro Zero Trust DDR safeguards healthcare data by sanitizing it as it traverses organizational boundaries via file sharing, emails, collaboration platforms, and more. It monitors unstructured data continuously, detecting and anonymizing sensitive information in real-time. This proactive approach ensures that healthcare providers maintain control over their data security, effectively preventing data leaks and breaches while adhering to regulatory compliance.
To learn more about Votiro’s Data Detection and Response capabilities, sign up for a one-on-one demo of the platform or try it free for 30 days and see how Votiro can proactively defend your organization from the next big data breach.