HealthEC incident shows healthcare data breaches are getting out of control

A CGI representation of passkeys. A key with a biometric thumbprint on the handle is on a blue isometric grid background, surrounded by flying blocks glowing with red light and bearing the images of padlocks, keys, and shields.
(Image credit: Getty Images)

A data breach at HealthEC which exposed data belonging to almost 4.5 million patients has sparked serious concerns about the state of cyber security in the healthcare sector, with experts warning that the issue shows no sign of stopping.

HealthEC, which specializes in population health management, services 17 separate healthcare providers in the US, all of which have been affected.

Though the data breach was initially discovered in July, HealthEC only began notifying clients in late October after a review of the breach.

A subsequent advisory by the firm revealed the extent of the damage, with patient data including social security numbers, medical records, detailed information about diagnoses and treatments, and billing details all exposed.

HealthEC breach is the tip of the iceberg

News of HealthEC’s data breach picks up the new year where several other healthcare companies left off. Throughout 2023, there were a string of large scale data breaches that rocked confidence in the sector.

Managed Care of North America (MCNA) and medical transcription service Perry Johnson & Associates (PJ&A) both suffered breaches which affected over 16 million people combined, while an attack on HCA Healthcare affected over 11 million in a single breach.

Graham Smith, head of customer success at OryxAlign told ITPro that the healthcare sector represents a veritable goldmine for threat actors, with attacks on the industry escalating in recent years.

“Health records contain a goldmine of information that can be sold on the dark web for an above average price,” he said.

Reports value the average health record at $1000 on the black market, compared to $5 for a credit card number or $1 for a social security number. On top of that, the sensitive content of these records risks patient wellbeing, meaning healthcare providers are much more likely to pay ransoms.

A tempting reward isn’t the only thing drawing in threat actors, though. More often than not, healthcare companies leave doors wide open for unauthorized access and are sluggish in their response to attacks, according to Dirk Schrader, VP of security research and field CISO EMEA at Netwrix.

“Breach prevention and detection are quite often not swift enough,” he told ITPro.

“This leads to breaches going undetected for a longer period and endangering the victims even more,” he added.


2023 ThreatLabz state of ransomware report

(Image credit: Zscaler)

Get insights that will shape your future ransomware defense strategies


This inability to swiftly detect and respond to security incidents means many organizations are fighting a losing battle, Schrader added. Combine this with the fact that many organizations have close ties with other providers, and the potential for a domino effect throughout the supply chain becomes greater.

“Their customers are not individuals but insurers, hospitals, and clinics,” Schrader said. “As they aggregate data from various healthcare organizations, the health tech providers should acknowledge that they are a prime target for attackers.”

With “no direct interactions with the individuals, they tend to underestimate the responsibility they hold and are lacking diligence for protecting the patients’ data they have access to,” he added.

More needs to be done about easing strains on cyber security in healthcare companies, both internally and externally.

“For companies like HealthEC that manage the sensitive information of millions across providers, cyber security must remain a top priority,” said Andrew Costis, chapter lead of the adversary research team at Attack IQ.

“By adopting a more threat-informed defense strategy, organizations can proactively respond to threats,” he added. “Organizations can leverage the common tactics, techniques, and procedures (TTPs) used by threat actors, testing them against their current security measures to identify any gaps or potential blind spots”

Costis argued that proactivity, not reactivity, is where the focus needs to be for organizations operating in the healthcare space going forward. Only the consistent and rigorous testing of their own systems against potential threats will offer a level of, if not security, then at least preparedness.

Staff training is essential in stopping breaches

Smith says that staff training is key in mitigating cyber security risks, as they pose a key line of defense in preventing unauthorized access.

“If we look at the most recent ICO data, 49% of cyber incidents were caused by staff clicking dangerous emails – phishing attacks,” Smith says.

“More needs to be done in all organizations to make staff aware of cyber criminal activity and their role in the post-attack clean up,” he added.

Healthcare companies need to take all the steps they can to ensure their customers and clients because, as Jemma Davis, CEO and founder of Culture Gem, tells ITPro, the data in question should be “protected to within an inch of its life.”

“Any organization that has access to this level of data should consider itself to be privileged and respect this position. Mistakes of this nature should not be acceptable to any of us, and lessons must be learned,” she added.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.