Healthcare Data

Healthcare Data: Common Target for Hackers


April 30, 2019 | Reading Time: 4 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Why Healthcare Data is a Common Target for Hackers

Healthcare and hospital organizations experience a significant measure of targeted healthcare data breach attempts from the hacking community. Healthcare is often seen as an easy target and the reward for the hacker is often a treasure-trove of confidential information which can be easily sold or exploited on the black market.

There is evidence to suggest that healthcare organizations are targeted twice as often as all other industries, and according to an analysis by security software firm Fortinet, the average rate of intrusion attacks per day for healthcare companies is circa 32000, but for non-healthcare organizations, this figure drops significantly to around 14,300.

Given this study, which is derived through healthcare threat telemetry data, it is unsurprising that the total number of healthcare records breached between 2009 and 2017 is an eye-popping 176.7 million.

Why hospitals are the most commonly breached and tend to have the most exposure

Electronic patient healthcare data contains a compelling amount of personal data which has significant potential to be used maliciously. Often highly sensitive and strictly confidential records are kept about a patient’s welfare and treatment program.

This will often include confidential proprietary information, employee records, and personally identifiable customer details.  If this information was to leak, it could result in significant risk to a person’s finances and ongoing credibility.

To protect patients and greatly reduce the risk to patients, organizations that handle electronic protected health information (ePHI) must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) as well as other key healthcare regulations. Beyond the potential for significant fines, there is also an additional potential for lost credibility and liability costs to a healthcare organization due to the damaging exposure that follows HIPAA violations.

Why certain kinds of hospitals are at greater risk

There have been several studies conducted on what healthcare facilities are targeted by hackers. The data suggest that hospitals appear to be more commonly targeted than any other covered healthcare entities and that there are concerns with physical and digital healthcare data compliance.  Physical items such as paper records, microfiche or film thefts are more common than data breaches, however, it can be argued that data breaches typically compromise a higher volume of patients data and can have a more significant impact on the patient and the healthcare organization.

One such key study that can be evidenced is the American Journal of Managed Care (AJMC). In February 2018, the research team concatenated multiple data sets, comparing healthcare data breach information from the Office for Civil Rights (OCR) with characteristics of hospitals types from the American Hospital Association (AHA) databases.

The analysis looked at all large healthcare data security events that occurred from 2009 until 2016, an incredible 30% of high-volume attacks targeted healthcare organizations.

  • 215 healthcare organizations reported healthcare data breaches. This number is of total breaches impacting 500 (or more) patients.
  • 185 breaches that took place at non-federal acute care hospitals
  • 30 hospitals experienced more than one breach over the research period
  • 1 hospital experiencing four major breaches
  • 5 hospitals reported three major breaches
  • 24 hospitals suffering two major breaches

The 500-patients cut off is key as that is the arbitrary line that Health and Human Services (HHS) sets for distinguishing between breaches that must be reported immediately and smaller breaches that can be reported annually.

How can hospitals limit the risk of data breaches

The threat to healthcare data continues to be extremely high, despite the widespread use of security technologies and operational protocols, this is in addition to the focus placed on data protection by compliance mechanisms (particularly HIPAA/HITECH).

The American Journal of Managed Care (AJMC) also noted that the amount of risk experienced by different hospitals is based on factors such as market concentration, hospital governance, region of the facility, local attributes, health system membership, type of hospital, and bed size.

By looking at these and other characteristics, the researchers have determined correlations to reveal the commonalities between breached organizations. The key findings are:

  • Private hospitals were less likely to experience data breaches than hospitals which are run for non-profit or by government agencies
  • 6% of pediatric hospitals reported a healthcare data breach
  • 18% of teaching hospitals reported a healthcare data breach

How can Healthcare organizations protect against data breaches?

Healthcare organizations are frequently targeted by criminals as the risk taken and the reward gained make them an easy target. IT Systems can often be seen as a secondary priority for health assistants who automatically focus their attention on patients and the welfare of others.

It can be argued that this can result in Healthcare IT systems being targeted, so criminals can take advantage of the weak login credentials used by employees. Healthcare IT systems may not be managed and maintained to industry best practice, this may be down to poor training of technicians or complex software which requires a down-level operating system, all of which can result in vulnerable IT systems with limited infrastructure security.

Attacks and attempts to breach healthcare data are becoming increasingly common, rising nearly 11% last year. According to Protenus, 407 breaches were reported in 2016, this jumped to 450 in 2017. Thankfully though, the attacks in 2017 were not at such a large scale as the year before, with 5.6 million total records compromised in 2017 vs. 27.3 million in 2016.

With healthcare attacks and reported breaches on the rise, it is important to protect your PHI and ePHI data. The basis of a powerful, resilient, secure, and HIPAA compliant approach is leveraging a secure infrastructure platform. As you assess and improve your protections, be certain that any host you consider is not just HIPAA-certified but also complies with other key standards, such as those of the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements 18 (SSAE 18).


Marty Puranik is the CEO and President of Atlantic.Net, a web hosting solution that provides HIPAA-Compliant, Managed, Dedicated, and Cloud hosting.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Telepractice: Telehealth Law & Ethics Implementation Workshop

Comply with federal, state, national accreditation and association requirements for telehealth documentation.

Therapist AI & ChatGPT: How to Use Legally & Ethically

Immerse yourself in our highly-engaging eLearning program and delve into the uncharted territory of Artificial Intelligence (AI) in Behavioral Healthcare!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...