TAMPA — A criminal group now being pursued by the FBI had access to Tampa General Hospital’s computer system for three weeks.
Its attempt to encrypt and ransom the hospital’s data — which could have significantly impeded care of patients — was thwarted by internal security measures. Nonetheless, hackers were still able to download personal data on 1.2 million patients.
The crime is among a spate of recent data breaches affecting Florida patients. HCA Healthcare in July reported that an unauthorized user stole data on about 11 million patients in 20 states, including Florida, and posted it on an online forum. And this week, Johns Hopkins Health System, which runs All Children’s Hospital in St. Petersburg, reported the theft of personal information on 310,000 patients, including almost 10,000 from Florida.
Nationwide, more than 50 million patient records were compromised in 2022, according to analysis by cybersecurity firm Critical Insight. The records of more than 3.4 million Florida patient have been compromised this year and 36 data breaches are still under investigation, according to the Department of Health and Human Services, suggesting that health care firms will continue to remain a favorite target of hackers.
The health care sector is perceived as being more vulnerable than those in the finance, defense or aerospace sectors, said Joe Partlow, chief technology officer at ReliaQuest, a firm that provides computer security guidance to banks, utility companies and health care providers among others. Finance firms tend to invest more in security measures, in part because of regulations, he said. Health data also typically includes Social Security numbers and insurance details prized by hackers.
”They are a good target,” he said. “They know it’s a good trove of personal data.”
The damage is not just to patient confidentiality. The average cost of a health care breach rose to $11 million this year, a 53% increase since 2020, according to an IBM report.
Phishing emails that entice employees to enter log-ons and passwords are still the primary means used by hackers to gain access to computer systems, Partlow said.
Once they have broken in, one tactic is to encrypt or encode data, rendering it unusable until the hospital pays a ransom. At least five U.S. hospitals paid ransoms in 2021 to be able to use their data again, according to a report by Becker’s Hospital Review.
Keep up with Tampa Bay’s top headlines
Subscribe to our free DayStarter newsletter
You’re all signed up!
Want more of our free, weekly newsletters in your inbox? Let’s get started.Explore all your options
The critical mission of hospitals makes them particularly vulnerable to that threat, Partlow said.
“From a hacker mindset, that’s what makes them a bigger target than others,” he said.
Even in cases where ransoms are not extracted, the data stolen from health care providers is still prized by hackers, said Lisa Plaggemier, executive director at National Cybersecurity Alliance, a Washington, D.C., nonprofit that works to educate companies and individuals on internet security and partners with the Department of Homeland Security.
Lists of names, addresses, dates of birth and Social Security numbers can be used for identity theft, such as fraudulent credit card applications. Criminals may also use the data to call the victims posing as their bank or credit card company in order to extract even more information.
“Very often people will think to themselves the person has all this data, they must be legitimate,” she said.
Once hackers have exhausted the data, it’s often then sold on the dark web, Plaggemier said. There it may end up being combined with other stolen data to create an even fuller picture of someone’s identity.
Health care firms typically offer complimentary credit monitoring to customers whose data has been compromised, providing a warning every time their credit score is checked. Plaggemier said victims should consider requesting a credit freeze, especially if a child’s personal data has been compromised.
“If your kid isn’t getting a mortgage anytime soon, you should be putting a freeze on their credit,” she said.
Frequent checking of bank and credit card statements and changing of passwords are also good “data hygiene” after a data breach, Plaggemier said.
Not all hacks are motivated by money. Hospitals are also at risk from cyberattacks, which can originate from criminal groups but also nation states, like Russia, China, North Korea and Iran, she said.
At least one cyberattack on a hospital has resulted in a patient death, Plaggemier said. One-quarter of health care facilities that were the target of a ransomware attack reported an increase in mortality rates afterward, a survey of more than 600 health care facilities by the Ponemon Institute found.
“The speed of technology and the speed of bad actors evolving their techniques, you have to be really prepared for it to happen,” Plaggemier said. “It’s a when not an if.”