2024 Velocity Healthcare Data Breach Report

2024 Velocity Healthcare Data Breach Report

In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.

This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.

We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.

Report

The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.

Stay in the Loop

If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.

2023 Velocity Healthcare Data Breach Report

2023 Velocity Healthcare Data Breach Report

In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.

This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.

Mailing List

If you enjoyed our 2023 Velocity Healthcare Breach Report and would like to join our mailing list to stay informed, please complete the form below.

The 405(d) HICP Cybersecurity Framework

The 405(d) HICP Cybersecurity Framework

What is 405(d) HICP?

405(d) Health Industry Cybersecurity Practices (HICP) is a healthcare cybersecurity framework created out of a congressional mandate from the Cybersecurity Act of 2015.  Section 405(d) of this mandate has a goal to strengthen the cybersecurity posture of healthcare and public health sector.  A collective called the 405(d) Task Force was formed from both public and private sectors.  This task force contains members of the U.S. Health and Human Services, over 200 healthcare and cybersecurity experts, and the Health Sector Coordinating Council.  Their deliverable was the 405(d) Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.  This framework contains 326 cybersecurity controls for organizations within the healthcare industry.

What is a Cybersecurity Framework?

A Cybersecurity framework is a collection of controls that companies can put in place to reduce the risk of a cyber-attack.  An example control could be “Enable Multi-Factor Authentication (MFA) for all Remote Access”.

What Size Organizations Use 405(d) HICP?

Any size organization can use the 405(d) HICP guidance.  The framework is divided into three sections: Small Organizations, Medium Organizations, and Large Organizations.  The framework recommends that healthcare organizations follow the controls specific to their size.  One may ask how the size of an organization is determined.  The framework contains a chart for organizations to use to determine their size.  This chart is shown below.

Organization sizing guide (Department of Health and Human Services)

Is 405(d) HICP Only for Healthcare?

Most of the controls within 405(d) HICP can be used by organizations in any industry.  However, there is one section of the framework, Section 9, which contains 25 controls for Medical Devices.  This section simply would not apply to non-Healthcare industries.

How Can I Follow the 405(d) Guidance?

The 405(d) HICP Framework can be found as a detailed PDF or a basic spreadsheet on the Health and Human Services website: https://405d.hhs.gov/protect/hicp.  Unfortunately, working through the PDF or spreadsheet is not ideal because it takes considerable manual effort to create graphs to show progress and program maturity.  Thankfully, Stern Security has built the 405(d) framework into Velocity.  Within Velocity, the 405(d) framework is easy to use, has a clean interface, contains graphs that depicts an organizations maturity, and has reports for download.  Additionally, the controls for small organizations are completely FREE.  Any organization can quickly sign up for a free Velocity account and start using the 405(d) HICP framework today.

Works Cited

Department of Health and Human Services. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from HHS 405(d) Aligning Health Care Industry Security Approaches: https://405d.hhs.gov/Documents/HICP-Main-508.pdf

2022 Velocity Healthcare Data Breach Report

2022 Velocity Healthcare Data Breach Report

In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.

This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.

If you enjoyed the report and want to stay in the loop, please join our mailing list:

Breached Healthcare Records Surpass U.S. Population

Breached Healthcare Records Surpass U.S. Population

Healthcare breaches have recently reached a grim milestone. As of June 10th, 2022, the number of Protected Health Information (PHI) records breached has reached 341,995,928.  To put in prospective, this number surpasses the United States population which is at 332,759,097 (United States Census Bureau, 2022). 

As the graphs show on HealthcareBreaches.com, this startling loss of data is almost entirely due to hacking.

It must be noted that these numbers only include reported healthcare breaches containing 500 or more PHI records.  Healthcare breaches under 500 records are not listed publicly.  To view additional trends, please visit our healthcare executive data breach dashboard at https://www.healthcarebreaches.com/ and utilize the control panel on the left side to fine-tune your area of interest.

Works Cited

United States Census Bureau. (2022, June 10). U.S. and World Population Clock. Retrieved from United States Census Bureau: https://www.census.gov/popclock/