Approximately 10 times a week on average in 2024, a U.S. healthcare company experienced a data compromise/ event. (A “data compromise” is the term used to refer to events where personal information is accessible by unauthorized individuals and/ or for unintended purposes. This includes data breaches, data exposures and data leaks.)
This alarming statistic is amongst many insights in the recently published 2024 Data Breach Report. This report is released annually by the Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime. After years of holding the dubious distinction of being the most frequently breached industry as quantified by unique data compromises, healthcare ceded the top spot in 2024 to financial services (also fairly concerning!)
It's worth pointing out that while it only counted as only one data compromise in 2024, the Change Healthcare breach was responsible for 94% of the 203 million victim notices generated by Supply Chain attacks across all industries in 2024. Based on the 190 million victim notices it sent, Change Healthcare was the third biggest breach in 2024, behind Ticketmaster (560 million), and Advanced Auto Parts (380 million). The next largest healthcare company was Kaiser Health Plan, with 13.4 million notices, making it #10 overall.
Source: ITRC 2024 Data Breach Report
Healthcare and financial services firms are attractive targets for cyberattacks and data breaches because of the valuable data that they store, transmit and use to provide their services. Why healthcare and financial services? To paraphrase Willie Sutton, “Because that’s where the juiciest data is.”
For senior executives at hospitals, health systems, and health plans, cybersecurity threats are a persistent concern. Last year’s mega-breach at Change Healthcare disrupted cash flow and reimbursements for millions of U.S. healthcare providers and pharmacies, nearly crippling hospitals nationwide. Healthcare enterprises are investing millions of dollars in strengthening their defenses against cyberattacks, payment system breaches, and other external data infiltrations.
For Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs), the ITRC report provides useful data and insights into emerging cybersecurity threats, compliance updates, and technology risk management strategies critical to healthcare organizations.
One of the most significant vulnerabilities cited in the report is the lack of rigorous vetting of third-party vendors, leaving hospitals and larger enterprises susceptible to indirect breaches. This occurs, for example, when healthcare providers assume that payment gateway and merchant services vendors are fully protecting patient payment data as it travels across multiple channels within the health system. Protecting payment data is no longer just about the co-pay at the front desk, however. Protected Health Information (PHI) now travels on mobile applications and through patient portals. Securing financial transactions across the full range of applications and transit points is essential.
As healthcare organizations look to make their information security systems more robust, they are increasingly looking to implement solutions with PCI-validated Point-to-Point Encryption (P2PE). A PCI P2PE solution is a combination of secure devices, applications, and processes that encrypt payment card data from the point it is used at a point of interaction (POI) device until it reaches a secure point of decryption. The adoption of P2PE solutions dramatically reduces the risk of data breaches and simplifies compliance with PCI DSS (Payment Card Industry Data Security Standard). This, in turn, cuts down on security costs and regulatory burdens that healthcare providers face.
PCI P2PE solutions are validated by a standards body to ensure they meet the rigorous security requirements of the PCI P2PE Standard, and are listed on the PCI Security Standards Council (PCI SSC) website. There are over 124 listed solutions worldwide, with many specializing in healthcare including Bluefin and Instamed.
Healthcare, like all industries, must remain vigilant and continue investing in appropriate measures to defeat bad actors attempting to penetrate information systems. Healthcare organizations should not assume that a reduced number of data compromises in 2024 equates to reduced risk!
Healthcare organizations must double down on proactive cybersecurity strategies, particularly with regard to financial transactions. By encrypting sensitive payment data at the point of entry and ensuring it never exists in a readable format within a provider’s network, healthcare organizations can significantly reduce their exposure to cyber threats.
In today’s digital landscape, adopting innovative payment security measures is not just an “upgrade”—it is a necessity and matter of survival. Healthcare leaders must take decisive action to protect patient data and financial transactions, ensuring the industry remains resilient in the face of evolving cyber threats.