On July 10, 2023 the largest health system in the United States announced a data breach potentially compromising the protected health information of over 11 million patients.

An external storage location used for the automatic formatting of emails, including patient appointment reminders and notifications about programs and services offered by the health system, was accessed by unauthorized individuals. The breach, which is still under investigation, involved a staggering 27 million rows of data, potentially impacting approximately 11 million patients across 20 U.S. states.

The compromised data lists contained personal information including names, addresses, email addresses, phone numbers, dates of birth, genders, dates, and locations of service, as well as upcoming appointment details.

PatientLock POV: Importance and Impact

This breach, yet again, illustrates the persistent threat landscape surrounding the healthcare industry. As the largest health system in the country with nearly $50 billion annually in net patient service revenue according to the March 2023 Medicare Cost Report, it’s safe to assume this healthcare organization has more Information Security (IS) resources than most. As cybersecurity experts would say, the People, Process, and Technology. Yet, they still had an event.

Size. Does. Matter. 

Although an event occurred, organizations of this size tend to have resilient cybersecurity programs because they do have the luxury of people, process, and technology. Resiliency means they can experience a cyber event and get back to business and treating patients in short order. This is a luxury not all healthcare providers have, but something all providers need because bad actors target more than just large networks.

Resilience during and immediately following a cyber event mitigates the impact to patients, an entity’s finances, and public trust, so healthcare organizations of every size should prioritize cybersecurity and foster a collective effort to protect patient and business data. Healthcare organizations lacking dedicated Information Security (versus IT) personnel, which is most, should consider enlisting the help of a managed security services provider (MSSP) to assist in adopting and adhering to the NIST Cybersecurity Framework. It’ll dramatically increase your cyber resiliency, satisfy HIPAA and PCI, as well as cyber insurance requirements. Adopting NIST is an affordable and achievable for way any healthcare organization to significantly reduce cyber risk to their patients and business.

Breaches happen. Cyber resilient organizations can survive and even thrive post-event, if the right information security people, process, and technologies are in place.