Scripps Health recently revealed it was the victim of a significant cyberattack, which forced the organization to shut down its systems and initiate emergency manual down-time procedures until it could restore all its systems 25 days later. The massive attack cost the San Diego-based health system nearly $113 million. The organization is far from alone. Ransomware attacks on the health care industry are increasing in number and severity.

Cyberattacks against health care organizations in the United States increased by 55 percent in 2020 and more than 26 million people were affected by the health care breaches, according to the Bitglass 2021 Healthcare Breach Report. The average cost per breached record was $499 in 2020. With 26.4 million records exposed in 2020, data breaches cost health care organizations $13.2 billion.

The statistics so far for 2021 are more alarming. Fortified Health Security’s 2021 Mid-Year Horizon Report states that the number of breaches reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the first six months of 2021 increased by 27 percent over the same period in 2020.

It’s no wonder health care organizations are vulnerable to cyberattacks. Health care providers, plans, and business associates process and store sensitive protected health information, including Social Security numbers and medical history.

One of the most recent attacks occurred at Scripps Health, which revealed in its third quarter 2021 financial report that the system experienced a significant cyber security incident on May 1 and took immediate action to contain the threat and help reduce disruption to patient care. Those steps included shutting down many of its systems, initiating emergency manual down-time procedures, conducting an investigation, and notifying federal law enforcement. In addition, the San Diego-based system engaged computer consulting and forensic firms to assist in restoration of systems. All systems were back online by May 26, but the organization reported a total estimated revenue loss and incremental expenses loss of approximately $113 million.

Scripps determined that an unauthorized person did gain access to its network, deployed malware, and, on April 29, acquired copies of some of the documents on its systems. By May 10, the organization was able to access a limited number of documents involved in the incident and determined that some of those documents contained certain patient information. For certain patients, this information included their names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, date(s) of service, and/or treatment information. For less than 2.5 percent of patients, Social Security numbers and drivers’ license numbers were also affected.

“Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network,” the system said in an update about the incident.

Cybersecurity Governance and Controls for Health Care

Memorial Health in Ohio announced last week that it had a cybersecurity incident on August 5 and canceled all urgent surgical cases and radiology exams the following day. Staff worked with paper charts until systems could be restored. And St. Joseph’s/Candler, the largest health care network in Savannah, Ga., learned in June it was the victim of a ransomware attack that affected 1.4 million individuals.

Health plans are not immune to attacks. Prominence Health Plan in Nevada experienced a security breach on Nov. 30, 2020 but didn’t discover it until April 22, 2021. Hackers potentially obtained the protected health information of 45,000 plan members, according to HIPAA Journal. The attack involved access to the Prominence call center phone recordings and PDF files that included provider claim forms and letters to patients about claim approvals and denials. An email phishing attack on Academic Health Plans Inc. in August 2020 exposed student PHI, Health IT Security reports.

To address the growing threat of ransomware and cyberattacks, RISE will present a virtual seminar 11 a.m. to 3 p.m. EST October 20-21 to help health care organizations throughout the country strengthen their digital resilience and ensure physical security in the age of cloud computing. Cybersecurity Governance and Controls for Health Care is designed for mid- to senior-level management professionals responsible for compliance, risk, IS, and privacy. Speakers will address how to reduce the risk of ransomware attacks and other cybersecurity threats, legal and regulatory requirements, incident report planning, and best practices. Click here for the complete agenda and registration information.