The ransomware attack on Change Healthcare in February that exposed more than 100 million records and caused widespread disruption of the U.S. healthcare system was the most significant data breach in the first half of the year, according to a recent a recent report by Kiteworks.
The attack, in which an affiliate of the ransomware group BlackCat/ALPHV stole 4TB of data, highlighted once again that healthcare systems in the United States and elsewhere continue to be a top target of ransomware and other threat groups, according to the company, which specializes in secure email communication and last month raised $456 million to raise its valuation to $1 billion.
In fact, five of the top 11 data breaches listed in Kiteworks’ “Top 11 Data Breaches in 1H 2024 Report” were in the healthcare industry, ranging from companies like Change, which is a subsidiary of UnitedHealth Group, to healthcare consortium Kaiser Permanente, UK blood test management company Synnovis, and Australian prescription delivery service MediSecure.
Other industries represented on the list include telecommunications and financial services. Others involve breaches of third parties.
The rankings are based on Kiteworks’ new Risk Exposure Index, which not only calculates the number of records exposed and financial impacts when assessing the severity of an attack, but also such factors as the sensitivity of the data exposed, the number of regulations impacted, and the use of ransomware by the attackers.
“Our findings reveal several alarming trends, from the rising prevalence of ransomware attacks to the vulnerabilities associated with third-party interactions and internal errors,” Patrick E. Spencer, vice president of corporate marketing and research at Kiteworks, wrote in the report, adding that it “highlights the critical importance of managing sensitive content communications across all sectors, especially as organizations increasingly rely on multiple communication tools and third-party services, which can create numerous entry points for cyber threats.”
It’s not surprising that many on Kiteworks’ list were in healthcare. The industry for the past several years has ranked high among those targeted by bad actors. Cybersecurity firm Sophos in a report late last month noted the rate of ransomware attacks on such facilities has reached a four-year high, with 67% of organizations surveyed saying they were impacted by ransomware this year, up from 60% in 2023.
The Change attack tied with the data breach on National Public Data at the most severe incident, with both garnering a rating of 9.46 on a scale of 10, according to Kiteworks.
The list of healthcare breaches includes:
1. Change (9.46 ): The company processes payments, medical and insurance claims, and prescription orders for hospitals and clinics, so when systems were shut down following the ransomware attack, it rippled throughout much of the U.S. healthcare industry, from patients unable to get prescriptions to health facilities not getting paid. Federal agencies and Congress also got involved, with lawmakers pushing minimum cybersecurity standards for healthcare providers and connected entities.
2. Synnovis (9.11 rating): The ransomware attack by the Qilin ransomware group in June on the UK pathology lab led to medical procedures getting postponed and patients being diverted to other facilities. Kiteworks said about 300 million records were exposed with the financial impact hitting $53.7 billion.
3. Kaiser (7.6): Kaiser Permanente in April started alerting members of a data breach that exposed 13.4 million records that included such sensitive information as names and IP addresses of customers. The company said that the information was transmitted to third-party vendors like Microsoft Bing, Google, and X (formerly known as Twitter). Kiteworks placed the financial impact at almost $2.4 billion.
4. MediSecure (7.56): The data of 12.9 million Australians who used the prescription delivery service was stolen by hackers in July in a ransomware attack. The sensitive data included users’ names, contact information, medical history, and prescriptions. The financial impact, which included ransom payments and legal fees, were more than $2.3 million according to Kiteworks, which last month introduced a refreshed MSP/MSSP program.
5. Cencora (6.23): The pharmaceutical company in February was hit by a cyberattack that leaked more than 1 million records the Fortune 50 firm got via partnership with such drug makers as Bayer and Pfizer. The records included personally identifiable information (PII) and protected health information, the bulk of which was managed by a patient support services subsidiary. The financial impact of the breach – which included regulatory fines, legal fees, and the costs of improving security and notifying individuals – was $179 million, Kiteworks found.
Other high-ranking data breaches involved telecoms and companies handling sensitive data:
6. National Public Data (9.46): The company collects PII data from a broad array of publicly available sources and sells it to companies for such use cases as background checks and mobile apps. A data breach in April exposed 2.9 billion records belonging to 1.3 million people. The information ranged from names and email addresses to Social Security numbers and phone numbers. The financial impact, according to Kiteworks, was more than $501 billion.
7. AT&T (9.37): The giant wireless carrier sustained two breaches that exposed more than 110 million records. One, for which AT&T agreed to pay a $13 million fine, involved breach of a third-party vendor. The second one did as well, resulting from the high-profile breach of data cloud giant Snowflake. The Snowflake breach also led to one at Ticketmaster, which with an exposure rating of 8.79 also landed on Kiteworks’ top 11 list.
8. U.S. Postal Service (7.31): The government agency reportedly shared the postal addresses of online customers with such vendors as Meta, LinkedIn, and Snap. Kiteworks said 62 million records were exposed and that the incident “points to vulnerabilities within governmental agencies managing public data.”
9. Evolve Bank (6.83): The banking-as-a-service firm said it was hit with a ransomware attack in May that exposed the sensitive information of 7.6 million customers. The high-profile LockBit group was behind the attack, which will have a financial impact of more than $1.3 billion, according to Kiteworks.
10. InfoSys McCamish Systems (6.23): The IT services management company also was a victim of LockBit. The company earlier this year divulged the ransomware attack, which occurred in late 2023 and divulged almost 6.1 million records.