Healthcare data breaches: a dangerous trend

Have you ever asked your health care provider for your X-Ray or CT scan or MRI images or results and were instead asked to fill a paper form and wait for 2-3 weeks until they can cut a CD of your requested medical record? The reason provided for this archaic process by the healthcare provider is, you guessed it, HIPAA.

On the other hand, as reported by HIPAA Journal’s healthcare data breach statistics report of 2024 released in January 2025, not just are the number of healthcare provider breaches on the rise but the number of records and individuals affected is also dramatically increasing. 

It is ironic how getting our own medical records from our healthcare institutions is hard but cybercrime gangs seem to be getting to them easily! 

This article was first published in Cyber Defense Magazine's April 2025 issue. Link here.

Not just ironic, but highly alarming

The breach reported by 23andme in 2023 affected 7 million users, where hackers accessed ancestry reports and other sensitive data. One of the largest healthcare data breaches of all, the Change healthcare breach of 2024 affected 190 million individuals. More recently the Sunflower Medical Group, a Kansas based healthcare provider with multiple urgent care facilities, confirmed a cyberattack that exposed sensitive information of its 221,000 patients including names, addresses, dates of birth, social security numbers, drivers license numbers, medical information and health insurance information. 

If a credit card is stolen or lost or misused, you can have  it replaced. But if your medical information is stolen, you cannot simply change it. Health information is highly personal information and unauthorized disclosures can result in a lot more damage to an individual beyond identity theft and financial fraud. It is an invasion of privacy and cannot be undone if it includes loss of health data.

In the case of genetic data it can also mean an indirect invasion of privacy for other family members who may be predisposed to genetically inherited diseases.  The cost of a breach of personal health data is difficult to ascertain due to its qualitative nature unlike a loss due to credit card fraud or insurance fraud. Genetic data can now be sold and acquired like any corporate intellectual property and assets when you provide your DNA.

Most healthcare organizations like other organizations that are breached offer identity theft protection and credit monitoring services. This fails to take into consideration that theft of medical information can result in discrimination in housing, job, insurance, potential embarrassments, anxiety, emotional distress and other psychological affects. This can in turn lead to lawsuits, reputational damage and loss of patient trust among other things. The damage to the healthcare institutions also is far beyond the substantial financial repercussions of lawsuits, regulatory fines and penalties that may get imposed on the healthcare institutions.   

The irony

HIPAA enacted in 1996 to ensure portability and accountability of health insurance coverage also includes security and privacy rules to protect sensitive health information from disclosure without patient consent.  Similarly there are other laws and regulations such as various state privacy laws covering personally identifiable information or the FDA’s FD&C Act that regulates the safety and effectiveness of medical devices that include certain mobile apps intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the human body. There is also the 21st Century Cures Act’s prohibition of “information blocking” and in support of interoperable health IT in the nation’s health information infrastructure.

These regulations provide for portability of health data for patient care and insurance coverage while simultaneously enforcing security and privacy protections. 

However, as can be seen from all the examples above, HIPAA and these regulations are neither well understood nor correctly implemented causing administrative burdens and barriers to care instead of defenses against cyber attacks and privacy invasion. The latest round of audit by OCR in 2016 and 2017 as reported by the Journal shows that most HIPAA regulated entities are failing cybersecurity 101. This score card is damning and clearly points to the reasons for the increased risk or breaches.

On the other hand, a lack of clear education and training amongst healthcare professionals and the rapid evolution of technology has created new challenges for maintaining compliance as data is stored in the cloud or on mobile devices unlike in the past where your data never left the doctors office or the hospital.  

The path forward

There is a clear and urgent need for healthcare organizations to step up their cybersecurity hygiene. There is also a need for clear understanding and implementation of these laws in their spirit and letter and their focus on portability and accountability for patient care with robust security and privacy protections. 

New technology creates a lot of exciting opportunities and possibilities not just for healthcare itself but also for protecting healthcare data. Investing in technology that provides for efficiencies that reduce not increase administrative burdens, brings down barriers to access, making it easier for doctors and patients and their families to provide and receive care while preserving privacy and protecting sensitive information from cybercriminals. But above all, applying HIPAA in its spirit to ensure true portability and accountability of our healthcare data is critical and we health technology professionals including cybersecurity and privacy teams play a huge part. 

BIO

Yogita has more than two decades of experience in technology risk and cybersecurity. She has been head of security & IT, and a cybersecurity leader at an AI, a healthtech, and a fraud risk tech company, as well as Oracle and EY. She is a recognized thought leader in the security governance space and an evangelist for security & privacy-by-design principles that ensure systems are built in a way that wins the trust and confidence of their potential customers. She has been recognized in Power 100 2025 by Silicon Valley business Journal (Innovation category), as a Security Veteran by SC Magazine, 150 women fighting cybercrime by CyberCrime Magazine, and for her contributions as President of ISACA Silicon Valley. She is an eminent speaker at various professional forums including Private Directors Association, ITAA-NASSCOM US India cyber summit, ISSA, ISACA and many others including as keynote speaker. Currently, she is the CEO of Invi Grid Inc. that has been recognized as cutting edge cybersecurity innovation by the Cyber Defense Magazine. She is also an investor and a mentor to other founders.

Learn how InviGrid helps teams securely design, deploy, validate, and continuously govern AI infrastructure at scale. Email us at info@invigrid.com  or Contact Us