Health Advice



Why health care has become a top target for cybercriminals

Elise Takahama, The Seattle Times on

Published in Health & Fitness

When a cyberattack hit Seattle's Fred Hutchinson Cancer Center late last year and exposed the personal data of nearly a million patients, many were caught off guard, stunned a breach could infiltrate such a large and highly resourced health care organization.

But those working in computer security weren't surprised. In recent years, they've watched other hospitals and health care facilities across the country get hit by similar attacks, some that have crashed systemwide operations and caused delays in patient procedures or tests, or rerouted ambulances to other emergency rooms.

Cyberattacks of all sorts have plagued large corporations, small businesses and individuals for decades now, but in the past several years, health care has become a top target, according to federal and local cybersecurity experts. These organizations hold a massive amount of patient data — including medical records, financial information, Social Security numbers, names and addresses. They're also among the few businesses that stay open 24/7, meaning they might be more likely to prioritize avoiding disruptions and, therefore, more likely to pay a hacker's ransom.

"They're basically a one-stop shop for an adversary," said Chris Callahan, chief of cybersecurity for the Northwest region of the federal Cybersecurity and Infrastructure Security Agency, or CISA. The agency, housed in the U.S. Department of Homeland Security, also works to defend against government and election hacking, but recently health care — along with K-12 education and the water supply — has emerged as one of its most urgent priorities, Callahan said.

In December, the U.S. Department of Health and Human Services reported that the medical data of more than 88 million people was exposed in the first 10 months of 2023. The department also saw a 93% increase in large, health care-related breaches reported to the agency between 2018 and 2022.

While fewer data breaches in Washington state were reported to the state Attorney General's Office last year compared with 2021 and 2022, which both saw a record number of cases, experts say cyberattack numbers are still much higher than they were before the pandemic.


In the past three months, 13 health care-related businesses have detailed large breaches to state Attorney General Bob Ferguson, as is required by Washington law when more than 500 residents have been impacted by a cyberattack.

Attacks against computer systems at Proliance Surgeons and Western Washington Medical Group last February and July, respectively, allowed unauthorized access to the data of hundreds of thousands of patients, the medical groups wrote to Ferguson's office. Dental insurer Delta Dental, Vancouver-based Hi-School Pharmacy, and California-based vision care provider Medical Eye Services (known as MESVision) were also hit last year, impacting thousands more.

Patients' health information is worth a lot of money to hackers, said Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington, Bothell. Once someone gets hold of a stolen medical record, they can buy fake prescriptions, file bogus insurance claims, participate in identity theft and sell it online, among other things, she said.

"There is a huge underground market on the dark web," said Thamilarasu, who specializes in health care security. "Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000."


swipe to next page

(c)2024 The Seattle Times. Visit The Seattle Times at Distributed by Tribune Content Agency, LLC.


blog comments powered by Disqus