Texas Attracts Most Healthcare Data Hacks But It Is Fighting Back

Texas Public Radio | By Paul Flahive

Published April 5, 2019 at 4:14 PM CDT

Cyber criminals stole the health records of more than 9 million Americans last year, according to data from U.S. Health and Human Services. The data collected includes breaches from hospitals, health insurers and other health organizations covered by the Health Insurance Portability and Accountability Act, which makes breaches public when they affect more than 500 people.

Texas has led the country in total hacking breaches reported to HIPAA for four of the past five years. The state also ranked high in total number of records stolen, with more than 1.4 million individuals鈥� records stolen since 2014.

鈥淲e don鈥檛 see Texas hospitals as being any more vulnerable than other parts of the country,鈥� said Lance Lunsford, vice president for communications at the Texas Hospitals Association.

Texas is the second-most populous state, and it has more hospitals and more places to attack, he said. California, the most populous state, also has high numbers of cyber-based data breaches. according to HHS.

鈥淭he statistics are indicative of the large population of patients Texas serves and the corresponding number of providers,鈥� he said.

Data shows that despite Texas often being in the top two for total breaches, over the past five years it鈥檚 further down the list when it comes to individual records affected. Last year, criminals stole the records of more than 178,000 Texans, less than half than 2017. By comparison, breaches in North Carolina and Iowa saw 2.6 and 1.5 million individuals鈥� records exposed, respectively.

Most years, Texas suffers from more hacking data breaches. Last year, a coding error led to the exposure of the data of more than 1.2 million people.

Lunsford concedes Texas hospitals are having to devote more resources to cyber security, from large urban systems to remote rural clinics, and it gets harder the less money there is.

鈥淵ou can put some of these rural hospitals that are really in very narrow margin businesses in a tough position because they can鈥檛 make these kinds of investments,鈥� he said. 鈥淎s these attacks have picked up over the years, hospitals have been more and more direct targets because they have not only key financial data but also sensitive patient health information,鈥� he said.

Nationwide, hacking made up nearly 70 percent of all data breaches by affected individuals, making up more than 9 million of the 13 million reported in 2018.

Credit ratings agency Experian how much could be made in the black market sale of stolen personal data. It said that while a Social Security number could go for as little as a dollar, a medical record could go for as much as a thousand dollars, or more than 10 times what a credit card number goes for.

鈥淚t鈥檚 huge,鈥� said Sam Dibrell, chief technology officer for the the Foundation for Trusted Identity, an organization that works with hospitals to secure their physical and cyber facilities. 鈥淲ith a health record you鈥檝e got personal identifiable information. You can establish a long-term, fraudulent relationship with banks and other lenders and from a criminal standpoint you can profit significantly.鈥�

Dibrell said cyber criminals are waking up to the fact that these records are profitable, and they are increasingly going after hospitals he calls 鈥渟oft targets.鈥�

鈥淯ntil health care catches up and says, 鈥榃e really need to start spending a lot of money on cyber security and keep these records safe,鈥� it鈥檚 going to continue to happen.鈥�

According to a 2016 study by the SANS Institute 鈥� which provides training and certification to its cyber security members 鈥� the healthcare industry was spending 4 to 6 percent on security. But many in the field think it is less about dollars and more about understanding an individual organization鈥檚 risk.

鈥淭here is no amount of money you鈥檙e going to spend will reduce the risk of a breach to zero,鈥� said Jon Moore with Clearwater Compliance, a cyber security firm working with the Texas Hospital Association.

Over the years he said he has seen it improve in some ways. For instance, the numbers of unencrypted data lost on thumbdrives and laptops that are stolen or misplaced is down. On the other hand, the number of fishing attempts and successes, where a fraudulent email is sent to personnel and captures data or access, is exploding across the country.

鈥淚t鈥檚 like squeezing a balloon. You squeeze it, and it just pops up somewhere else,鈥� Moore said.

Paul Flahive can be reached via email Paul@tpr.org or on Twitter .