The HHS calls hacking and ransomware "the primary cyber-threats" to the health care sector. They are becoming more frequent and more sophisticated as the industry relies heavily on digital technology, whether electronic records, telehealth, internet-connected devices, or connections to insurance companies and vendors. Older equipment might be incompatible with security measures but too expensive to replace.

In 2023, ransomware attacks against the health care sector worldwide nearly doubled over the year before, according to the Office of the Director of National Intelligence. There were 389 victims in 2023 compared with 214 in 2022. Over the past five years, large breaches involving hacking increased 256% while ransomware shot up 264%, according to the HHS. Attacks can affect millions in one fell swoop.

Among the recent large breaches involved the Kaiser Foundation Health Plan and its 13.4 million members. What Kaiser Permanente described to TechCrunch as "online technologies" installed on its website and applications manifested into members' searches being forwarded to the likes of Google, X (formerly Twitter), and Microsoft. No Social Security numbers, financial information, or credit card numbers were shared, the company told the Los Angeles Times, but IP addresses—which identify a particular computer—might have been.

Concentra Health Services, in contrast, affected about 4 million individuals, a third as many people as Kaiser Permanente's breach. The company used a medical transcription company called Perry Johnson & Associates, which was hacked in 2023 and already compromised about 9 million at the time. Patient data divulged included names and addresses, birth dates, Social Security numbers, and other information.

A&A Services, which does business as Sav-Rx, appears to have paid a ransom when it was hit with ransomware, according to The HIPAA Journal. The journal based that assessment on the company's statement that data taken from its system was destroyed. A&A Services, a pharmacy benefits management company based in Fremont, Nebraska, said it was able to get its systems running the next day with no delay in prescriptions.

Sometimes, not only health care companies but even the affected patients themselves are contacted, as was the case for INTEGRIS Health's Oklahoma patients. Hackers emailed individuals directly and demanded $50 from each; otherwise, they threatened to sell the data on the dark web. To prove they actually had the data, the hackers included addresses, phone numbers, birth dates, and Social Security numbers in their emails.

The challenges facing the health care industry are significant. Health care breaches remain the most expensive across all industries, according to IBM's 2024 Cost of a Data Breach report. The average cost of a health care data breach did fall over the last year, from $10.93 million in 2023 to $9.77 million in 2024, but that's still twice as expensive as the average for all industries.

Critics in the industry say hospitals and other health care institutions are often far behind other sectors in boosting their cybersecurity, even with such simple steps as installing patches for known vulnerabilities. Moreover, financially strapped organizations may struggle to pay for cybersecurity professionals.

What is being done to help the industry tackle the problem? The HHS is trying new requirements balanced by voluntary measures and seeking funds to incentivize hospitals to meet cybersecurity goals. It has proposed rewriting the HIPPA rule—or the Health Insurance Portability and Accountability Act, which requires protecting patient information—to address cybersecurity. It could also tie Medicaid and Medicare funding to heightened cybersecurity, according to the Associated Press.

The Biden administration launched the Universal Patching and Remediation for Autonomous Defense, or UPGRADE, program, to create IT tools that can better fend off cyberattacks in hospitals. It also announced efforts from the private sector.

Microsoft has agreed to provide grants giving smaller organizations up to a 75% discount on security products and free cybersecurity training and assessments for eligible rural hospitals. Google will also provide advice for rural hospitals and nonprofits, as well as discounts for its suite of tools. In the meantime, New York proposed cybersecurity changes for its hospitals and allocating funds to help pay for the improvements.

No matter what, the efforts will need funds. Former health official Iliana Peters told The New York Times, "Without additional resources to raise the bar, those health care providers and those health care payers are going to continue to make choices to pay for treatment or for cybersecurity."

Story editing by Carren Jao. Additional editing by Kelly Glass. Copy editing by Paris Close. Photo selection by Clarese Moller.