Cyber criminals stole the health records of more than 9 million Americans last year, according to data from U.S. Health and Human Services. The data collected includes breaches from hospitals, health insurers and other health organizations covered by the Health Insurance Portability and Accountability Act, which makes breaches public when they affect more than 500 people.
Texas has led the country in total hacking breaches reported to HIPAA for four of the past five years. The state also ranked high in total number of records stolen, with more than 1.4 million individuals’ records stolen since 2014.
“We don’t see Texas hospitals as being any more vulnerable than other parts of the country,” said Lance Lunsford, vice president for communications at the Texas Hospitals Association.
Data Breach Incidents By State 2014-2015
Texas is the second-most populous state, and it has more hospitals and more places to attack, he said. California, the most populous state, also has high numbers of cyber-based data breaches. according to HHS.
“The statistics are indicative of the large population of patients Texas serves and the corresponding number of providers,” he said.
Data shows that despite Texas often being in the top two for total breaches, over the past five years it’s further down the list when it comes to individual records affected. Last year, criminals stole the records of more than 178,000 Texans, less than half than 2017. By comparison, breaches in North Carolina and Iowa saw 2.6 and 1.5 million individuals’ records exposed, respectively.
Lunsford concedes Texas hospitals are having to devote more resources to cyber security, from large urban systems to remote rural clinics, and it gets harder the less money there is.
“You can put some of these rural hospitals that are really in very narrow margin businesses in a tough position because they can’t make these kinds of investments,” he said. “As these attacks have picked up over the years, hospitals have been more and more direct targets because they have not only key financial data but also sensitive patient health information,” he said.
Credit ratings agency Experian charted how much could be made in the black market sale of stolen personal data. It said that while a Social Security number could go for as little as a dollar, a medical record could go for as much as a thousand dollars, or more than 10 times what a credit card number goes for.
“It’s huge,” said Sam Dibrell, chief technology officer for the the Foundation for Trusted Identity, an organization that works with hospitals to secure their physical and cyber facilities. “With a health record you’ve got personal identifiable information. You can establish a long-term, fraudulent relationship with banks and other lenders and from a criminal standpoint you can profit significantly.”
Dibrell said cyber criminals are waking up to the fact that these records are profitable, and they are increasingly going after hospitals he calls “soft targets.”
“Until health care catches up and says, ‘We really need to start spending a lot of money on cyber security and keep these records safe,’ it’s going to continue to happen.”
According to a 2016 study by the SANS Institute — which provides training and certification to its cyber security members — the healthcare industry was spending 4 to 6 percent on security. But many in the field think it is less about dollars and more about understanding an individual organization’s risk.
“There is no amount of money you’re going to spend will reduce the risk of a breach to zero,” said Jon Moore with Clearwater Compliance, a cyber security firm working with the Texas Hospital Association.
Over the years he said he has seen it improve in some ways. For instance, the numbers of unencrypted data lost on thumbdrives and laptops that are stolen or misplaced is down. On the other hand, the number of fishing attempts and successes, where a fraudulent email is sent to personnel and captures data or access, is exploding across the country.
“It’s like squeezing a balloon. You squeeze it, and it just pops up somewhere else,” Moore said.
Paul Flahive can be reached via email Paul@tpr.org or on Twitter @paulflahive.
Copyright 2020 Texas Public Radio. To see more, visit .