Healthcare Experiences More Third-Party Data Breaches Than Any Other Sector
A recent analysis of data breaches by Security Scorecard for its Global Third-Party Cybersecurity Breaches Report found healthcare was the worst affected industry with the highest volume of third-party breaches, followed by financial services. More than one-quarter (28%) of all breaches occurred at healthcare organizations, with financial services the second most targeted sector (16%). 35% of all reported healthcare data breaches occurred at third-party vendors, with financial services having the second highest percentage of third-party breaches (16%). Across all industry sectors, 29% of data breaches occurred at third parties. 98% of organizations had at least one relationship with a vendor that had previously experienced a data breach.
The research for the study was conducted by SecurityScorecard’s Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team. The data was collected through an internally developed feed that collects information on data breaches from publicly available sources. The data corresponds to data breaches that were made public in Q4, 2023, not when the breaches occurred, which may have been several weeks or months earlier. The data provides a snapshot of data breaches that occurred throughout 2023, with an emphasis on Q4, 2023.
The STRIKE team attributed the high number of third-party breaches in the three most attacked sectors (healthcare, financial services, technology) to them being attractive targets due to the value of data they store and also the numerous, diverse, and specialized relationships organizations in these sectors have with third-party vendors. Organizations in these sectors have more third-party risk because they deal with more third parties.
The vendors that experienced the most breaches were those that provided technical services, such as software, IT products, and related services. Three-quarters of all data breaches at vendors occurred at those that provided technical services. Technology companies are attractive targets simply because they provide their software and services to a large number of clients. If a vulnerability can be found and exploited, threat actors can easily scale up their attacks with little extra effort and attack a great many clients, as was the case with the Clop threat group.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Clop exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution (CVE-2023-34362) and gained access to the MOVEit servers of around 1,840 organizations. According to an analysis by Emsisoft, more than 62 million individuals had their personal information stolen in those attacks. Unsurprisingly given the extent to which the vulnerability was exploited, it was the most commonly exploited vulnerability (61%) and Clop was the most prolific threat actor. The ALPHV/Blackcat and LockBit ransomware groups shared second place, each accounting for 11% of data breaches, although looking only at third-party data breaches, Clop accounted for 64% with LockBit second with 7%. The remaining 29% of third-party breaches were spread across 29 other groups. The second most exploited vulnerability was Citrix Bleed (CVE-2023-496), which was exploited in 11% of attacks.
Due to the number of third-party breaches, SecurityScorecard strongly recommends making third-party risk management an integral component of security programs, and this is especially important in healthcare. A recent study of healthcare organizations that have adopted the NIST Cybersecurity Framework (CSF) found supply chain risk management had the lowest coverage out of all NIST CSF categories.
