Data Breach Lawsuits on the Rise: Is Your Healthcare Organization Prepared?


Cyber attacks in the healthcare industry threaten patient care and privacy. While PHI and PII exposure is often immediate, there is also a long-term cost of cyber attacks. Healthcare organizations often face lawsuits following breaches. And these incidents are on the rise. 

Lawsuits are financially costly, but they can also take a toll on your organization’s image. Here’s what healthcare facilities should know about the recent uptick in lawsuits and how you can boost data security

Data Breach Lawsuits Are on the Rise

It’s no secret that cyber attacks against healthcare organizations are on the rise. Data shows that data breaches in healthcare increased by 55.1% between 2019 and 2020. And this upward trend doesn’t seem to be slowing down. 

During the first six months of 2021, there were 377 breaches reported to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). This marks a nearly 40% year-over-year increase between mid-year 2020 and 2021. And as this data rolls out, cyber experts predict that healthcare breaches will triple in 2021.  Some recent examples include:

  • Northern Light Health is facing a class-action lawsuit for the Blackbaud breach that affected over 650,000 people (about half the population of Hawaii). This was a global attack targeting the fundraising platforms of over 25,000 organizations. 
  • Two patients filed a lawsuit against Hackensack Meridian Health alleging the health system failed to protect their information from a ransomware attack.
  • Scripps Health is facing a class-action lawsuit for the malware attack that compromised their system’s network.  Plaintiffs are alleging that Scripps failed to properly secure and protect patients’ health information and now face a lifetime risk of identity theft.

While these are some of the higher-profile lawsuits in the industry, organizations of all sizes are facing legal action for data exposure. Lawsuits stem from HIPAA (Health Insurance Portability and Accountability) violations and internal mismanagement of medical records, as well as external attacks. 

Even a small mishap can lead to millions of dollars in damages. Facilities need to do everything they can to protect their assets, as well as the privacy of their patients. 

How to Protect Your Healthcare Organization

Healthcare IT teams have a daunting task. As cyber criminals use increasingly sophisticated tactics to access data, your organization needs to prioritize cybersecurity. The best way to avoid lawsuits is to prevent data breaches. And this involves a wide set of tools and cybersecurity services. 

Ways to protect your facility against breaches, and lawsuits, include:

  • Schedule Penetration Testing: The first step in preventing breaches and lawsuits is assessing your organization’s security posture. A simulated attack is one of the best ways to do this. During a penetration test, ethical hackers use both manual and automated techniques mimicking real-world threat actors to demonstrate the impact of successful exploitation of vulnerabilities and misconfigurations of your organization. This can prove the efficacy of an organization’s ability to prohibit access to your organization’s network, databases, and endpoint devices. The cybersecurity firm then generates a report detailing how the hackers achieved their objectives and what your IT team can do to prevent real-life attacks. 
  • Security Awareness Training: The reality is that one internal slipup can lead to a data breach, and later, a lawsuit. Mishandling of ePHI and other sensitive information is a significant risk. Healthcare organizations need to train employees on HIPAA (Health Insurance Portability and Accountability) compliance, patient privacy, email security, password management, and incident response. Update training modules regularly to reflect current best practices. Cybersecurity is everyone’s responsibility and user training fosters a culture that echoes and enforces that sentiment.
  • Encrypt Sensitive Data: If a threat actor gets their hands on patient data, you want to limit what they can do with it. This is where encryption comes in. Encrypting data makes it more difficult for hackers to access the information they are seeking, reducing the risk of data exposure. 
  • Third-Party Risk: Security is a factor in every step of the healthcare supply chain, so organizations need to select third-party vendors carefully and assess those chosen routinely. Vulnerabilities in third-party tools or services could lead to a breach within your organization. A proactive third party risk management program is essential to spotting these vulnerabilities and choosing vendors that prioritize security. 
  • Mature Incident Response: Avoiding lawsuits does not only require cybersecurity technology implementations. Organizations should also put a clear incident response plan together and test it. This way, you can take the proper measures when a breach does occur. Acting to address damages timely and efficiently can reduce the impact of a successful breach, facilitate swift and responsible notification of patients and authorities and ensure compliance with regulatory requirements mitigating costly repercussions. 
  • Stay Up to Date: Many cyber criminals target hundreds, if not thousands, of healthcare organizations at a time. The Orangeworm Kwampirs Trojan attack was a prevalent example from 2020. IT teams should stay up to date with the latest cyber-attacks and learn the signs of these common data breaches. Notifying employees and third-party vendors of these attacks can also be helpful.  

In healthcare, patient data is a valuable target. Organizations need to safeguard this data with a comprehensive set of cybersecurity tools and policies. But this is not realistic for every IT team. 

The technology and monitoring required to prevent data breaches can be difficult for in-house IT teams to sustain. Often, IT professionals are too focused on keeping the facilities running to prioritize data loss prevention. This is where outsourced IT comes in. 

A cybersecurity consulting firm will be a valuable resource in manifesting and improving your cybersecurity strategy. These professionals can monitor networks and endpoints, spot and prioritize vulnerabilities, provide testing and logging, and kickstart incident response. They will also ensure that your team complies with reporting laws in the event of a cyber incident. 

Fortified Health Security is proud to offer managed cybersecurity services to our healthcare partners. We know the true cost of cyber-attacks and work with customers to assist in avoiding both breaches and lawsuits. Based in Franklin, TN, our specialists work with healthcare organizations to help identify vulnerabilities, monitor threats, mitigate risk, and maintain a proactive cybersecurity strategy. Contact us today to discuss your security needs.