Nearly 10% of Floridians had health records hacked by 2022, HHS reports
TAMPA, Fla. (WFLA) — The American Hospital Association says cybersecurity risk is a major concern for healthcare organizations, largely because of the amount of information they have on file, much of which is “of high monetary and intelligence value” to cyber thieves and “nation-state actors.”
On Thursday night, Tallahassee Memorial Hospital’s online systems were put under siege and targeted in what appeared to be a ransomware attack, bringing the risk of hacked hospitals closer to home for Floridians.
While the hospital’s IT security team shut down the network to contain the attack, and in doing so shut down all non-emergency procedures, it took three days for the hospital, and its larger system, to resume normal operations.
Tallahassee Memorial is part of a larger network, Tallahassee Memorial HealthCare. The non-profit system has been in operation since 1948 and now serves 66 locations in North Florida, South Alabama and South Georgia, in 21 counties.
The February 3 IT security issue, as TMH describes it, affected IT systems, causing the system to divert emergency services and cancel outpatient and non-surgical procedures until Monday. At that time, TMH was still accepting level 1 trauma patients. The company also got in touch with the police to work on the investigation of the attempted intrusion.
Still, TMH said operations remained affected even as resumed operations expanded.
According to a February 6 publication, surgical procedures are still limited, and offices are using paper documentation for registration, admissions and filling prescriptions, advising patients to expect some delays. Some emergency room patients are still being diverted.
Part of the problem with the IT security attack is how much of a hospital’s system is connected to the internet, in what is known as the Internet of Medical Things, or IoMT.
For some systems, if a hacker can get into a computer, they can get into everything from patient records to billing information, to even controlling some medical equipment used for critical healthcare.
The National Institute of Health said remote patient monitoring, screening and telehealth treatments have helped change healthcare to focus on “early diagnosis, prevention of spread, education and treatment, and ease of living in the new normal.” However, the integration creates its own challenges.
“Mass adoption appears challenging due to factors such as privacy and data security, handling large amounts of data, scalability and upgradeability, etc.,” the NIH reported, adding later in the study that “several challenges and implications exist today that must be addressed before mass adoption of IOMT, such as privacy and data security, data management, scalability and upgradeability, regulations, interoperability and cost-effectiveness.”
Data security and privacy remain a challenge due to the “large volume of sensitive health data” for patients, as well as its integration into patient monitoring and system management, according to the NIH.
Wipro, a technology services and consulting company, said IoMT devices can range from defibrillators to patient monitors to oxygen pumps and nebulizers. They said “implementation of appropriate security measures is critical” to ensure patient data security.
However, researchers say security breaches can also lead to loss of life in the healthcare sector.
“Since most IoT devices were not developed with security in mind, they are highly vulnerable to security breaches. And you can imagine that such compromised security could lead to untold chaos and loss of life, especially in the healthcare sector,” according to Richard van Hooijdonk, a self-described futurist and technological implant advocate. “The proliferation of IoMT devices and their lack of security, combined with ubiquitous Internet connectivity, the scope for attack expands significantly, making healthcare one of the most ‘popular’ targets for cybercriminals.”
Bringing us back to Tallahassee, a TMH spokeswoman said in part on Tuesday that its staff was working with “outside experts and state and federal agencies to investigate the cause of the incident and safely restore all computer systems as quickly as possible.”
More broadly focused on Florida and the rest of the country, Jotform did an analysis of the United States, focused on ranking them by health record hacking.
According to the analysis, created by gathering information from the US Department of Health and Human Services, the US Census Bureau, and a data security report by IBM, Florida is among the 10 states most at risk of health information breaches.
Jotform reported that while record breaches are sometimes due to mismanagement by healthcare professionals, the majority were “overwhelmingly” breaches from hacking incidents. 80% of record breaks in 2022 came from hacks.
Florida had the seventh highest number of reported records affected, and highest estimated costs, of all 50 states due to hacking of medical and health records, according to the Jotform ranking.
| Rank | State | Individual records affected | Estimated costs |
|---|---|---|---|
| 1 | Texas | 4,957,050 | 738.6 million dollars |
| 2 | Wisconsin | 4,498,306 | 670.25 million dollars |
| 3 | Pennsylvania | 3,063,706 | 456.49 million dollars |
| 4 | Massachusetts | 2,458,139 | 366.26 million dollars |
| 5 | Colorado | 2,435,269 | 362.86 million dollars |
| 6 | New York | 2,374,743 | 353.84 million dollars |
| 7 | Florida | 2,254,815 | $335.97 million |
| 8 | California | 2,002,177 | 298.32 million dollars |
| 9 | Michigan | 1,925,438 | $286.89 million |
| 10 | Illinois | 1,833,579 | 273.2 million dollars |
According to federal records, 1.8 million Floridians were affected in 2022, including in parts of Tampa Bay.
| Covered unit | State | Device type | Persons affected | Break date | Type of breach |
|---|---|---|---|---|---|
| Ravkoo | FL | Health personnel | 105,000 | 01/03/2022 | Hacking/IT incident |
| South Walton Fire District | FL | Health personnel | 25,331 | 15/11/2022 | Hacking/IT incident |
| OCEANVIEWS OPTICAL INC | FL | Health personnel | 2000 | 03.11.2022 | Hacking/IT incident |
| Seredor Centers, Inc. | FL | Health personnel | 2500 | 08.10.2022 | Hacking/IT incident |
| Landmark Management Services | FL | Health personnel | 501 | 15/09/2022 | Hacking/IT incident |
| Synergic Healthcare Solutions, LLC d/b/a Fast Track Urgent Care Center | FL | Health personnel | 258,411 | 07.12.2022 | Hacking/IT incident |
| First Steps in Sarasota, Inc. | FL | Health personnel | 1,858 | 25/02/2022 | Hacking/IT incident |
| Jacksonville Spine Center, PA | FL | Health personnel | 38,000 | 10/02/2022 | Hacking/IT incident |
| North Broward Hospital District d/b/a Broward Health (“Broward Health”) | FL | Health personnel | 1,351,431 | 01/02/2022 | Hacking/IT incident |
| Foundcare, Inc. | FL | Health personnel | 14,194 | 16/12/2022 | Hacking/IT incident |
| Orlando Health | FL | Health personnel | 3,662 | 18.11.2022 | Hacking/IT incident |
| Phoenix Programs of Florida, Inc. | FL | Health personnel | 6,594 | 21/10/2022 | Hacking/IT incident |
| Bonita Springs Retirement Village, Inc. | FL | Health personnel | 554 | 19/09/2022 | Hacking/IT incident |
| Florida Springs Surgery Center | FL | Health personnel | 2.203 | 08.01.2022 | Hacking/IT incident |
| Total | 1,812,239 |
