CHARLOTTE, N.C. — Patients have put their trust in hospitals, health plans and medical providers throughout the pandemic, but as medical professionals worked tirelessly to save lives, the health care industry could not stop hackers from causing a record number of security breaches, not just jeopardizing medical data, but personal and financial information too, a WCNC Charlotte analysis of federal data revealed.
U.S. Department of Health and Human Services records show health care companies in North Carolina and South Carolina have reported 47 large breaches of unsecured protected health information impacting more than 1.4 million people since 2020. The Office for Civil Rights is currently investigating 26 of those breaches, according to federal data. Most were the result of hackers/IT incidents, but there were cases of unauthorized access and one of theft, public records reveal.
"That's a very big number," UNC Charlotte Professor of Software Information Systems Dr. Mohamed Shehab said of the number of people impacted. "It's shocking."
Shehab said no matter how hard the health care industry works to secure networks and detect attackers quickly, breaches are inevitable.
"A lot of the systems that we trust, they get hacked," he said. "The question is not, 'Are you going to be hacked or no?' The question is, 'When are you going to be hacked?' Your privacy is eroding. It's going to happen."
He said with people volunteering so much of their personal information and hackers waiting for those same people to mess up, vulnerabilities persist.
"The weakest link in all of this is the user," Shehab said.
He said the pandemic has made health care data even more desirable, which is used for ransom leverage, to sell on the black market and for malicious reasons. It's especially problematic since health care companies are entrusted with employee files, financial information and patient health records, which detail private medical battles.
"The problem with this kind of data, especially health data, most of the time, it doesn't only affect you," Shehab said. "It affects you and your relatives."
A federal law, enacted in 2009, requires certain companies to report these types of breaches to the people affected, DHHS and in some cases, the media. Federal investigations that follow routinely result in corrective action and in rare cases fines.
A congressional report, released in February, identified eight health care companies, including one in North Carolina, that were fined a combined $13 million following federal investigations in 2020 alone. In hundreds of other cases, meanwhile, the government required corrective action aimed at preventing future breaches. The report identified 656 breaches in 2020, most of which resulted in investigations.
Federal data identified more than 700 reported breaches in 2021, with 585 currently under investigation. Since the beginning of 2020, public records identify 83 million people impacted by large health care data breaches.
In light of the growing breach threat in the medical field, Shehab recommends patients only give what's absolutely necessary.
"Basically, try not to release as much information about yourself in the system," he said.
WCNC Charlotte is always asking "where's the money?" If you need help, reach out to the Defenders team by emailing firstname.lastname@example.org.
For your online medical accounts, he recommends two-factor authentication, calling it "another layer of defense." He's also a big believer in low-cost, or even free, password managers that create long, random passwords for you, so you only have to remember one and so it's more difficult for hackers to make you their next victim.
"It enhances your security for sure," Shehab said.