A notable rise in cybersecurity incidents and data breaches concerning hospitals and healthcare providers showcases an unnerving trend.
On December 24th, hackers began emailing the patients of Integris Health demanding $50 in bitcoin in order to stop their data from being published on to the dark web. In short, the attackers were extorting these patients. In all, the attackers say they stole data of more than two million people in a breach of the Oklahoma-based healthcare network.
The data that potentially was compromised, according to Integris, includes name, date of birth, contact information, demographic information, and/or Social Security number. Medical information was not involved, according to Integris. The hospital chain is offering identity monitoring services to affected patients.
The attack on Integris is eerily similar to another recent attack on a healthcare provider. In December, cancer patients from the Fred Hutchinson Cancer Center in Seattle received extortion emails after the center was breached in November.
In the case of Fred Hutch, the attackers even threatened to “swat” patients. “Swatting” is when a fake emergency call is placed into law enforcement forcing police to respond. Swatting has in some cases, lead to innocent people being killed during the event. At the very least, it can cause some unnecessary trauma for those who are forced to endure such an event. Luckily, it doesn’t appear any swatting events occurred in regard to the cyber incident.
The Department of Health and Human Services (HHS) says that ransomware attacks against healthcare organizations are up 278% in the last four years including a 60% increase in 2023. In the first ten months of 2023, more than 88 million individuals had their medical data exposed, according to HHS.
Signup for our Newsletter
One thing to consider is the sensitivity of the data held by hospitals and healthcare providers. The data is more than just personally identifiable information (PII), such as names, addresses, and social security numbers. These providers hold our medical history, our diagnoses, the literal state of our physical and mental wellbeing. This is data that could be very enticing for someone who decides to use it.
Soon, I think, the market for PII will become so saturated as for this information to be all but worthless on the darker corners of the internet.
While most of us now shrug our shoulders at having our Social Security numbers and the like in the hands of hackers, the value of medical information, such as medical history, diagnoses, doctor’s records, these may become more valuable for attackers who are filling the gap they helped create by flooding the dark web with PII. In short, this is a trend that I only think will escalate.
Let’s be clear, it is probably almost never a good idea to pay an extortion demand. However, receiving an email from an attacker which says they have your medical history or mental health information and are planning to post it online unless you pay them a sum of bitcoin? That might give some people pause. Especially if it contains something you wouldn’t want to be made public.
Could this be an untapped resource for extortion? Hospitals, clinics, therapy centers. Time will tell. However, attacks on these organizations are likely not going to slow down.
Recently, genetic testing provider 23andMe confirmed that hackers stole health reports and raw genotype data of customers affected by a data breach that went unnoticed for five months. The breach affected nearly 7 million people. The company said that the attackers may have accessed certain health reports derived from the processing of genetic information, including health-predisposition reports, wellness reports, and carrier status reports. Threat actors may have also accessed self-reported health condition information as well.
If your information is involved in a data breach, whether it be health information or PII, there are some things you should do.
If you receive an extortion email, you should report it to the FBI’s internet crime complaint center (https://www.ic3.gov/). Block the sender and don’t send any money.
When it comes to identity monitoring, if it is offered by the offending organization, you might as well take it.
It is also a good idea to freeze your credit with the three credit bureaus (Equifax, Experian, and TransUnion). The credit bureaus have lowered the drag to freezing your credit, although, in my opinion, it is still too difficult. It is 2024, and we can’t develop an app that allows people to freeze and unfreeze their credit with the push of a button and automatically notifies us when someone tries to view our credit or open a line of credit in our name? One app. Not three. The credit bureaus don’t really have an incentive to build such a thing, so until they are compelled to by the government, we are stuck with the system we’ve got.
Also, it is a good idea to change any passwords tied to portals of healthcare organizations that have been breached, even if that information was not involved and keep an eye on any medical billing and be cognizant of the data you are sharing with medical providers.
Attacks on healthcare providers will likely continue to grow, so it is important to remain diligent and protect your information as best you can.
About the Author
Corey White is a security analyst at Future Point of View. He is focused in the areas of cybersecurity, artificial intelligence, and data privacy. From guiding organizations on building robust incident response plans to identifying and remediating risk and even monitoring the deep and dark web for information, Corey has vast experience in keeping organizations and individuals safe in an increasingly complex, critical, and dangerous digital landscape. Learn more about Corey White.