This week on the HIPAA Insider Show, we examine the healthcare data breach landscape as we move into 2025. Adam and Gil discuss the latest statistics, uncover emerging trends, and analyze what these developments mean for the future of healthcare data security. Learn how the industry can adapt to the growing threats and what organizations can do to enhance their defenses.
Transcript
Adam Zeineddine
Hello and welcome to the HIPAA Insider show, your trusted source for all things healthcare in the cloud. I’m Adam and as always, I’m joined by our in house expert, Gil Vidals. Hey, Gil, how you doing?
Gil Vidals
Adam? Doing great. Looking forward to this podcast today.
Adam Zeineddine
Yes. Yeah, me too. All our listeners and viewers, we record a little bit in advance, so I hope you had a nice Thanksgiving given. Gil, how’s your Thanksgiving?
Gil Vidals
Good, good. I got to. I’m in the Rocky Mountain area, so I got to enjoy a nice white Christmas, so a lot of fun.
Adam Zeineddine
Yeah, I have Rocky Mountains at this time of year, I think. Crisp.
Gil Vidals
Oh, yeah.
Adam Zeineddine
Crisp weather. Well, today our main topic is going to be as 2024 comes to a close, we’re looking ahead at 2025 and discussing healthcare data breaches. We touched on health. We have touched on healthcare data breaches several times. The last time we looked at them was in August, Gil, in an episode where we reviewed the aftermath of the United Healthcare breach, which is the largest in history, which. I didn’t plan this, but it seems like there was a major event, Right. That came out in the news with UnitedHealthcare and the CEO being assassinated.
Gil Vidals
Yeah, that was pretty surprising. I can’t, I can’t think of an incident like that where they targeted a CEO in recent years. So. Yeah, that was a sad event. But it does raise a lot of eyebrows for people that understand exactly what happened. I’m sure there’ll be a lot of forthcoming information about that.
Adam Zeineddine
Yeah, yeah, it’s, it is, it is strange. And now there’s talk about, there’s, there was writing on the shell cases of the, the bullets. Yeah. So it seems like there was a grievance there, whether it was personal or.
Gil Vidals
Oh, I didn’t know about that. What did they say what was written on those shell casings?
Adam Zeineddine
Let me pull that off.
Gil Vidals
I had not heard about that.
Adam Zeineddine
Yeah, the words delay, deny, and possibly depose. I think the third one that they couldn’t quite make it out, but delay, deny, depose.
Gil Vidals
Wow.
Adam Zeineddine
On the shelves.
Gil Vidals
Okay. Yeah, it’s a bit mysterious and nefarious, for sure.
Adam Zeineddine
Investigators believe they could reference the three Ds of insurance coined by the industry’s critics, which are delay, denied, defend. So it could be something to do with, you know, being the CEO of. Pretty likely it’s to do with this position.
Gil Vidals
Yeah.
Adam Zeineddine
Whether that was linked to, you know, what happened this year and in the breach and someone’s, you know, wanted take vengeance. Who Knows, but yeah, well we can move into the, the healthcare breach statistics. So this here I’m going to share from HIPAA Journal. So looking at the broader landscape, according to the hipaa journal, between 2009 and December 2024, nearly 6,000 large healthcare data breaches have been reported to HHS. And 2024 alone saw over 700 reported breaches. Continuing the trend of record breaking years for healthcare data exposure.
Gil Vidals
Yeah, it’s pretty tremendous. For perspective, in 2023 there was a record 725 breaches and 133 million records exposed. We don’t have the full record obviously for 2024, but we can see that generally speaking in healthcare it’s very lucrative for organized crime to go after those records. And the proof is in the amount of breaches that there are. If you compare that for example with the PCI industry, which is not healthcare related but financially related, we don’t have those numbers today. But you could compare and see, you know, why healthcare is so large and egregious and it’s because those records, and we’re going to talk about that as well today, those records are very valuable to the organized crime compared to say a credit card record.
Adam Zeineddine
Yeah, it’s clear that healthcare is facing relentless challenges and onslaughts from hackers and the challenge that secure in the sensitive data is ongoing. And you can see here, it’s just the charts. Data breaches from 2009-24 just keeps increasing. I mean this data no doubt will increase because we haven’t finished the year yet and there’s delays in the reporting and all that. I would, I think it pretty likely that this tops last year. What do you think?
Gil Vidals
It’s possible. I mean In March of 2024, this, in the spring there were 97 reported incidences and that was the highest of the year so far. And then in September there was a decline. There were only 34 breaches, which is the lowest figure since 2020. So I, we don’t know yet. We don’t have the full year. But that would be a good thing if the trend was reduced like that. But it’s too early to tell. Adam. We don’t know if this is going to be a trend or if it was just a lull, but it could.
Adam Zeineddine
Be one of those things where, you know, there’s a big, back in the day, a big train heist and then every, all the train robbers go lay low for you know, the rest of the year just because they know that everyone’s looking for them. So we could dig into the root causes a little bit then. Gil, what continues to drive the data breaches year after year?
Gil Vidals
Yeah, the hacking and IT incidences are the leading cause, accounting for really about 78% of the large breaches in the first half of 2024. But other factors that are important too are unauthorized access or disclosure, insider threats. Where there’s a rogue employee, that happens as well. And then also I’ve seen cases where there’s a loss or stolen physical records like a hard drive. I received a letter, Adam, from my insurance company saying that my patient information, my medical data had been possibly exposed because of a missing hard drive. Right. So something happened. The drive was missing and it had my data on it. So those are other. So it’s not always just hacking. It could be something like a missing drive or a rogue employee who’s upset with the employer and take some of the data.
Gil Vidals
By far and large, you know, the hacking of course is the larger problem.
Adam Zeineddine
Yeah, and that chimes with what the HIPAA journal article here is reporting in terms of like the largest records breached historically. Number one was this year and it was a hacking incident. The change healthcare one that we talked a little bit about at the top of the show, 100 million records breached. And then number four was also this year and that was the other type that you talked about, which is unauthorized access, slash disclosure, Kaiser 13.4 million. So I mean clearly there’s a trend that it’s upwards here. Why do you think healthcare is such a prime target?
Gil Vidals
You know, there is some indication as to why health care records and health care is such a prime target. And part of that has to do with just supply and demand. So on the black market, the health care records are sold for far more than pii. PII being personal information like a security, Social Security number or driver’s license number, that kind of a thing that might sell for a buck or two on the black market versus medical and Phi records. Those can go for hundreds of dollars, 300 $, 350 per record. So you can see the healthcare records are vastly richer for these organized criminals.
Adam Zeineddine
Why is that? Like is the data richer or what is it about the healthcare data?
Gil Vidals
The healthcare data has more scope and is broader by that, I mean when they take medical records that comes with a lot more information. It could come with the names, not just of the person, but it could say, well, who’s the father, who’s the mother, who’s the spouse? And now You’ve got even greater breath. It also includes information that could lead to attacking that person in particular. Say, for example, there is some kind of a medical history for someone who’s high profile that they can.
Adam Zeineddine
Moral kind of attack mail.
Gil Vidals
Okay, that’s right. They could do blackmail for a particular person. They could be someone who’s the CEO of big company. And they say, hey, look, you’ve got some sexually transmitted disease. You know, you don’t want everyone knowing about it. So they can exploit that for a lot more money than just stealing that guy’s driver’s license number, Social Security number. So there. And then there’s a lot of other data that’s included. There’s also medical history. And so I think that the information is deeper with the medical records than it would be for just pii.
Adam Zeineddine
Yeah. Probably easier for them to build up a case to commit fraud as well, because they have so many different bits of information, you know, like potential security questions that they could answer.
Gil Vidals
You’re right about that. I forgot about that. I’m glad you brought that up. Yeah. They could leverage that information to say, go to the IRS and say, oh, I’m going to ask for a tax refund. And then with the medical records, they’ll have all the birthdays and names and, you know, be able to answer security questions and be able to go to the IRS and say, hey, that tax refund belongs to me, the hacker. So it does. It does give them that ability to do that. Thanks for bringing that up.
Adam Zeineddine
Yeah, yeah, it’s.
Gil Vidals
So.
Adam Zeineddine
Yeah, I mean, it’s clear why it would be a. You know, you mentioned PII being 1 to $2 per record on the black market versus 300 to 350 PHI. The value of that. Yeah, makes it makes sense because you’ve got potentially, you’ve got certain amounts of credit card information as well and all that extra data. Okay, let’s shift focus to the individuals affected by these breaches. How do the breaches impact the patients themselves?
Gil Vidals
Yeah, I think the most obvious is compromised privacy. Nobody likes that. It’s like when you hear people say, oh, somebody came into my home when I was on vacation and they robbed my home. People feel uncomfortable afterwards going into their bedroom to the bathroom, knowing that someone was in there, looking at all their stuff, taking. They’re valuable. So compromise privacy. Right. Somebody has your records. That just makes people uncomfortable. There could also be financial loss, you know, if they were able to take enough information, like I said before, and go to the IRS and claim that the refund Tax refund belongs to them. Now they. That could be a financial loss. And then identity theft.
Gil Vidals
Of course, identity theft means that the hacker has your information and then they can go, and they can go apply for, you know, credit cards or go do all sorts of things on behalf of you because they have all your information. They have the same information you have. If you were going to go online and apply for a credit card, for example, they would be able to apply for a credit card and try to gain financial leverage, if they can, with your information. One of the most notable breaches that occurred was in February of this year when UnitedHealth Tech unit is called Change and they were hacked and the breach affected a hundred million people. So I know a lot.
Adam Zeineddine
Of people that got emails about that.
Gil Vidals
Yeah, it’s huge. It’s huge. And so the chances are that our audience, you know, somebody in the audience, most of the people in the audience, I should say, have had their information stolen. Like I have. I’ve had at least two letters, actually three in the last 10 years that have come in from my insurance providers, medical insurance, that told me, hey, you know, sorry, your data’s been breached. And I just got one, the most recent one just happened, I want to say, about two months ago. So it’s kind of a. It’s. Unfortunately, Adam, it’s almost like people are just used to it now, say, oh, well, you know, my dad is out there. I suppose some people might still get upset about it, but for me, it happens regularly and I don’t have, personally, I don’t have anything that I’m worried about.
Gil Vidals
I’m a healthy guy. And so whatever they’re taking in those records doesn’t seem to have much bearing. But, you know, it’s still a bad thing. Yeah.
Adam Zeineddine
And I bet you’re set for the rest of your life for identity protection monitoring services.
Gil Vidals
Yeah, well, they, yeah, that’s funny because that’s what they offer. Right. Oh, I’m sorry, Gil. We took your. Somebody took your data. Here’s identity theft monitoring for the next 24 months. I get it for a couple of years. Yeah.
Adam Zeineddine
Well, it is interesting that it’s mostly the insurance company because I, I suppose that would be where the most juicy data is. And, you know, Hippos Health Insurance Portability and Accountability Act. So moving into 2025 and keeping HIPAA in mind, what steps should healthcare organizations take to protect against the growing threats that we’ve just reviewed from last year?
Gil Vidals
Yeah, well, in this Podcast. We’re not going to get into the nitty gritty of exactly the tactics, but. And we should probably do another.
Adam Zeineddine
Yeah, we’ve done a lot as well.
Gil Vidals
Yeah, yeah. But from a high level view, a strategic point of view, you want to invest in advanced threat detection systems as a business to help identify neutralized risks in real time. So it’s good to be able to put up a shield, so to speak, as an attack is occurring, rather than have the attack be successful and then you’re trying to mitigate the downside. So advanced threat detection, what does that mean exactly? Well, there’s all sorts of newer tools that use AI and they use more sophisticated algorithms to try to protect the company’s data. So I would look into that. Secondly, I would conduct a regular risk assessment and update the security policies that apply to all the employees and also train those employees to recognize phishing attempts.
Gil Vidals
Keep in mind that many of the attacks by the hackers happen because the employee of a company is clicking on some phishing email and the email asks them to click on a link and then they get infected and then it goes downhill from there. So phishing attempts are very widespread. So I would look into that specifically and then use strong encryption for all your sensitive data and implement strict access control. So you know, in other words, who has access to the sensitive data? Does every employee in your company have access to? Well, that would be good, but who does have access? And when employee leaves your company, do they still have access or did you shut them off from that? So those are the kind of things that I would be.
Adam Zeineddine
Yeah, sounds like a multi layered approach is key for this. Like no single solution is going to address the whole problem, right?
Gil Vidals
Yeah, exactly. Organizations need to build a culture of security where all the stakeholders understand their role in protecting the sensitive information.
Adam Zeineddine
That’s fantastic. Well, there you have it, folks. And that’s all for today’s episode of the HIPAA Insider Show. As we head into 2025, healthcare data breaches remain a critical issue, but understanding the trends and implementing procedures and measures can make a difference. Please, like share and subscribe. And until next.