HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services.

Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%).

Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017.

While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all reported healthcare breaches. 8% of reported healthcare data breaches involved the loss of physical records, 6% were portable device incidents, and 3% were social engineering attacks. 4% of breaches were not categorized.

Hacking/malware incidents increased by 55% in 2018 and accidental disclosures fell by almost 28%. As with other industry sectors, healthcare saw a major increase in BEC attacks.

The February report drew attention to the risk of BEC attacks – The compromising of a company email account which is then used to conduct phishing and social engineering attacks on other employees in the organization and business contacts. These scams are often conducted with the aim of obtaining sensitive information such as W2 Form data or to trick employees into making fraudulent wire transfers.

Beazley also drew attention to an increase in sextortion scams. One of the most common scams involves sending emails to employees claiming malware has been installed on their work computer which has recorded footage of them while they accessed adult websites. The hacker threatens to send a video containing webcam footage spliced with screen grabs of the websites that were being viewed at the time to the victim’s contacts.

These scams are conducted to extort money but also to install malware. Zip files attached to emails claim to include a copy of the video. Opening and executing the attachment triggers the download of information stealers and GandCrab ransomware.

Beazley reports that the sextortion cases that its BBR Services team has dealt contained empty threats, although some clients experienced malware infections as a result of opening the attached files.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.