Cyber Criminals Target Outpatient Facilities More Often Than Hospitals

New research of breach reports sent to the Department of Health and Human Services’ Office for Civil Rights has shown that outpatient facilities and specialty clinics were attacked by cyber threat actors more often than hospital networks in the first half of 2021.

Critical Insight Researchers mentioned in their 2021 Healthcare Data Breach Report that cybercriminals have altered their focus within the healthcare environment and are right now centering on outpatient facilities and business associates more frequently than hospitals and health insurance companies.

Although big health systems are normally appealing targets for cyber threat actors, smaller healthcare companies usually have weaker security protection and could be attacked without difficulty and are easy targets for cybercriminals. The prospective income from the attacks might be lesser, nevertheless so too is the work to obtain access to their systems and sensitive information.

Hackers are exhibiting interest on electronic protected health information (ePHI) since it is worth a lot more than a social security number or credit card number. Scammers can profit from it in a variety of ways, from marketing it on the dark web to submitting fake insurance claims. It doesn’t help that a lot of health institutions utilize devices that work on operating systems that are obsolete, and a lot of devices were not created with cybersecurity under consideration.

The researchers affirmed that healthcare data breaches are currently happening at more or less two times the level of 2018, with data breaches credited to hacking and IT cases happening at nearly 3 times the level of the first 6 months of 2018. In the first half of 2021, 70% of all healthcare data breaches involving 500 and up records that were submitted to the HHS’ Office for Civil Rights were hacking/IT incidents.

There may be a small drop in the number of data breach reports from the last 6 months of 2020, however, that doesn’t suggest cyberattacks are dropping, as in the last 6 months of 2020 the breach reports sent to the HHS’ Office for Civil Rights involved numerous breach notices submitted by companies impacted by the data breach that occurred at business associate Blackbaud. The number of reported breaches in the first 6 months of 2021 is greater than the first half of last year, and it appears like the pattern of growing numbers of data breaches being documented each year will keep going.

There continues to be a big boost in the number of cyberattacks on business associates of HIPAA-covered entities, which currently represent 43% of all healthcare data breach reports. In the first half of 2021, there were 141 data breaches submitted by business associates of HIPAA-covered entities. In contrast, there were just 66 data breaches submitted by business associates in the last 6 months of 2019. As these and other third-party breaches still make the news, it shows that attackers are giving more focus to this ecosystem of providers as a weak link in the cybersecurity sequence.

Cybercriminals are not likely to quit attacking healthcare institutions since the attacks are rewarding. It depends on healthcare companies and their business associates to enhance their defenses against threat actors. The Critical Insight researchers have given a number of suggestions, such as evaluating third party risk more appropriately, routinely looking at business associate agreements and making sure they clearly establish roles and duties, using more extensive protections against ransomware and phishing attacks, fortifying access controls, and exercising basic security hygiene.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at