By Anthony Kimery
On Friday, an attorney for Ascension Health, a major U.S. hospital operator, wrote to Maine’s attorney general to tell him the electronic personal health information (e-PHI) of Ascension patients and employees were compromised during the ransomware attack that occurred in May that affected nearly 5.6 million people.
The attack significantly disrupted Ascension’s operations across its extensive network, encompassing 134,000 associates, 35,000 affiliated providers, and 140 hospitals in 19 states and the District of Columbia. Immediate consequences included the diversion of ambulances, closure of pharmacies, and a reversion to manual record-keeping methods as critical IT systems had to be taken offline.
Ascension attorney Sunil Shenoi said in his December 19 letter to the Maine Attorney General’s Consumer Protection Division that the company “will begin notifying applicable Maine residents of the security incident” through the U.S. Postal Service.
Despite the growing scale of cyber threats against the healthcare industry, a Congressional Research Service (CRS) report earlier this month emphasized that “there is no comprehensive digital data protection law in the United States.” Variable state data privacy and security laws compound this problem. Furthermore, while many data protection guidance documents are available, they are voluntary.
The attack on Ascension is the latest cyber-attack targeting the healthcare sector, which is particularly vulnerable due to the sensitive nature of patient data and the critical importance of uninterrupted medical services. Earlier this year there was a similar ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group that affected the personal health information of 100 million people, underscoring once again the escalating cybersecurity challenges healthcare providers face.
The February ransomware attack on Change Healthcare – attributed to the BlackCat cybercrime group – disrupted electronic payments and medical claims processing affecting healthcare providers and patients nationwide.
UnitedHealth CEO Andrew Witty told the House Committee on Energy and Commerce’s Subcommittee on Oversight and Investigations in May that the cyber “criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops [which] did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
Witty told the Senate Committee on Finance that his decision to pay a $22 million ransom “was one of the hardest decisions I’ve ever had to make.”
In 2022, there were 626 reported breaches affecting over 41 million individuals, most stemming from hacking incidents. Smaller breaches, often resulting from unauthorized access or data mismanagement, affected another 257,105 individuals.
CRS stated earlier this month in a report to lawmakers on cybersecurity and digital health information that “cyberattacks targeting sensitive health information maintained by health care providers and health plans have sharply increased over the past decade. Healthcare data and information are attractive targets for cyberattacks,” and that “cybersecurity experts predict that these attacks will continue to affect a growing number of people in the future.”
Digital health technologies such as electronic health records, telehealth platforms, and medical devices have become cornerstones of modern healthcare. They enhance efficiency and accessibility. They also exponentially increase the attack surface for malicious actors. Healthcare providers, insurers, and related entities collect and transmit vast amounts of protected health information, making this industry an attractive target for cybercriminals due to the high value of health data. Americans’ health information commands millions of dollars on the black market.
Ascension’s attorney said the company’ “investigation determined that some of [the compromised] files contained an individual’s name and information in one or more of the following categories: medical information (such as medical record number, date of service, types of lab tests, or procedure codes), payment information (such as credit card information or bank account number), insurance information (such as Medicaid/Medicare ID, policy number, or insurance claim), government identification (such as Social Security number, tax identification number, driver’s license number, or passport number), and other personal information (such as date of birth or address). The particular type of information involved, however, varied by individual.”
In response to the breach, Ascension collaborated with third-party cybersecurity experts to investigate the incident and identify affected individuals. By December, the review was completed, and Ascension began notifying those whose personal information had been compromised, offering complimentary credit monitoring and identity protection services.
Ascension says it has restored its electronic health records system and continues to enhance its cybersecurity measures to prevent future incidents.
The cornerstone of health data privacy in the U.S. is the Health Insurance Portability and Accountability Act (HIPAA), which was enacted to ensure the secure and private handling of patient information. HIPAA introduced several key provisions, including the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, as technologies evolve, HIPAA’s framework faces scrutiny for its limited reach and efficacy in addressing modern cybersecurity challenges.
The rise of digital technologies in healthcare has revolutionized patient care, streamlined processes, and provided unprecedented access to medical data. But, as with many technological advancements, this digital transformation also has introduced significant vulnerabilities, particularly in safeguarding the privacy of sensitive health information. Recent insights into the cybersecurity landscape of digital health underscore the critical need for robust privacy protections as cyberattacks grow in scale and sophistication.
The HIPAA Security Rule mandates administrative, physical, and technical safeguards to protect electronic personal health information (e-PHI), granting covered entities discretion in implementation. This flexibility is intended to accommodate varying organizational sizes and capabilities but also can result in inconsistent application and enforcement. More concerning though, the CRS report said is that HIPAA applies only to specific covered entities, such as healthcare providers and insurers, leaving out personal health app developers and other technology innovators who handle similar sensitive data. Consequently, this creates significant gaps where health data remains vulnerable to exploitation.
Critics also highlight the Security Rule’s inability to adequately address emerging threats such as ransomware and misuse of data in AI model development. AI, for example, relies heavily on vast datasets for training and validation, raising concerns about whether patient privacy is adequately safeguarded in such processes.
HIPAA’s Breach Notification Rule is designed to ensure transparency when breaches occur, and requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media. Yet, the rule is reactive, addressing the aftermath of a breach rather than preventing incidents in the first place, CRS said.
When entities outside HIPAA’s purview experience breaches, the Federal Trade Commission (FTC) Health Breach Notification Rule applies. However, this dual system creates confusion among stakeholders, who must navigate overlapping jurisdictions. The lack of a unified, comprehensive framework exacerbates the problem, leaving patients uncertain about the security of their health data.
Another pressing concern is the cybersecurity of medical devices. Many modern medical devices connect to networks or the internet, increasing their susceptibility to cyberattacks. Hospitals often operate thousands of interconnected devices, making it challenging to monitor and secure every endpoint. Insecure devices not only endanger patient privacy but also jeopardize care delivery. For instance, a compromised infusion pump or defibrillator could have life-threatening consequences.
The Food and Drug Administration (FDA) has taken steps to address these vulnerabilities through premarket and post-market cybersecurity guidelines. However, the onus of ensuring device security often falls into a gray area between manufacturers and healthcare providers. This ambiguity underscores the need for clearer responsibilities and more rigorous oversight to prevent breaches that could endanger patient privacy and safety.
The implications of privacy breaches in healthcare extend far beyond financial costs. Patients may suffer reputational harm, discrimination, or identity theft due to leaked health data. Cyberattacks have also led to hospital closures and disruptions in care delivery. In extreme cases, these disruptions may contribute to adverse health outcomes or fatalities.
The increasing frequency of ransomware attacks further compounds these risks. In such incidents, hackers encrypt critical health data and demand payment for its release. The resulting downtime often forces healthcare providers to revert to manual processes, delaying treatment and compromising care quality.
The fragmented approach to protecting personal healthcare information leaves the health sector reliant on a patchwork of federal, state, and voluntary guidelines. While HHS and FTC enforce HIPAA and the Health Breach Notification Rule, their limited scopes fail to account for the full spectrum of entities handling health data.
Efforts to strengthen cybersecurity regulations remain pending. HHS published a Notice of Proposed Rulemaking for an update of the HIPAA Security Rule five years ago. Meanwhile, a slew of legislation has been introduced, but progress has been slow, leaving gaps that cybercriminals continue to exploit.
As healthcare technology evolves, striking the right balance between innovation and privacy is paramount. Stakeholders must collaborate to create frameworks that protect patient data without stifling technological advancement. This includes expanding regulatory coverage, improving cybersecurity standards, investing in resilience, and enhancing transparency.
Laws like HIPAA must evolve to include non-traditional entities, such as app developers and AI companies, that handle health data. Mandatory baseline standards across the healthcare ecosystem can reduce variability and improve overall security. Grants and resources for underfunded entities, particularly rural healthcare facilities, can help them adopt robust cybersecurity measures, and clear and consistent breach notification practices can build trust among patients and ensure accountability.
The privacy of health information is a cornerstone of trust in the healthcare system. As the threats to this privacy grow, so must the collective efforts to protect it. Policymakers, healthcare providers, technology developers, and regulators must act decisively to close gaps, strengthen safeguards, and build a resilient framework that secures patient data in an increasingly digital world. Failure to do so risks not only privacy but the integrity of the healthcare system itself.
Source: Biometric Update
Anthony Kimery is the former Editor-in-Chief and co-founder of Homeland Security Today. He managed the magazine, daily online news operations and wrote the award-winning “Kimery Report,” which covered a broad spectrum of HS-related issues, from public health preparedness to intelligence collection. He has 30-plus years of broad institutional knowledge and expertise in homeland/national security matters and issues as an editor, analyst, and consultant. He also serves as Advisory Board Member of Mississippi College’s Center for Counterterrorism Studies.
Become a Patron!Or support us at SubscribeStarDonate cryptocurrency HERE
Subscribe to Activist Post for truth, peace, and freedom news. Follow us on Telegram, HIVE, Minds, MeWe, Twitter – X and Gab.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.