States most impacted by health care data breaches in 2022

Gorodenkoff // Shutterstock It starts with an often-paralyzing attack on computer systems. Doctors scramble to notify patients awaiting surgery that their procedures have been delayed due to a ransomware attack. Sometimes a single cyberattack can impact hospitals across multiple states, as was the case when hackers targeted CommonSpirit Health in October 2022. Just one reported case of ransomware has allegedly led to the death of a patient. More often, patients’ sensitive information is served up to a market of seedy individuals around the world ready to cash in on someone else’s identity. Drata analyzed Department of Health and Human Services data to determine which states felt the largest impacts due to health care data breaches in 2022. The total number of individuals affected by all health care data breaches in each state reported to HHS was normalized as a rate per 10,000 people. Data was not available for Alaska, Idaho, and Washington D.C. The HITECH Act, signed into federal law in 2009, requires companies to report the breach of protected health information affecting 500 or more people to HHS. Around 38.5 million people in total were affected in some way by the incidents reported to HHS last year. Unfortunately, the data does not make it possible to know how many people may have been affected by more than one breach. Health care institutions are among the most targeted businesses in the world, chiefly because they hold such sensitive information about the patients they serve. Hospitals, home health agencies, and other institutions store patients’ phone numbers, Social Security numbers, addresses, and other things that would allow any would-be criminal to pose as a patient and open new credit cards or bank accounts in their name. In fact, roughly 44% of all reported identity theft in 2022 resulted in a fraudulent credit card account being opened, according to Federal Trade Commission data. The agency received a record number of fraud reports in 2021, with the total fraud reports for 2022 coming in on par with 2020. The years 2020 and 2021 marked an important pivot in how consumers shared their personal information, with the adoption of digital banking and retail shopping driven to modern highs as a result of the COVID-19 pandemic. In 2022, the FBI’s Internet Crime Complaint Center received millions of complaints of cybercrime with losses totaling $10.3 billion. It can take time–even years–for personal information compromised in a data breach to be used for a crime that brings the event to the attention of the FBI. But the pandemic also drove a rise in cyberattacks on hospitals and other health care businesses. And a good deal of that sensitive information begins its journey into nefarious hands when a hacker illegally accesses information at a health care institution. Hacking and IT incidents dominate reasons sensitive information was breached at health care organizations in 2022 Drata Sometimes an employee’s oversight in crafting an email with the wrong link or attachment can allow unauthorized access to private information, as happened in Wisconsin’s Department of Health and Human Services last year. However, the vast majority of data breaches at these companies happen through hacking and IT incidents. Most often, hackers accomplish this with malware that locks up the data until the victim organization pays the attacker a ransom. The federal government recommends against paying ransoms because companies cannot guarantee that a copy of the data won’t be sold to criminals anyway after the ransom is paid, and therefore paying is thought to encourage more of the behavior. In the top five states where the largest portion of the population was impacted by data breaches at health care organizations last year, all most commonly saw data breaches resulting from hacking. 48. Mississippi Sean Pavone // Shutterstock – People affected per 10,000 residents: 0.4 – Breaches reported: 1 – Most common type of breach: Unauthorized Access/Disclosure 47. Iowa Dawid S Swierczek // Shutterstock – People affected per 10,000 residents: 0.5 – Breaches reported: 1 – Most common type of breach: Hacking/IT Incident 46. Wyoming C Model // Shutterstock – People affected per 10,000 residents: 2.8 – Breaches reported: 1 – Most common type of breach: Unauthorized Access/Disclosure 45. Virginia Sean Pavone // Shutterstock – People affected per 10,000 residents: 6.3 – Breaches reported: 20 – Most common type of breach: Hacking/IT Incident 44. South Dakota Steven Frame // Shutterstock – People affected per 10,000 residents: 7.4 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 43. Nevada Andrey Bayda // Shutterstock – People affected per 10,000 residents: 8.1 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 42. Maine Joseph Sohm // Shutterstock – People affected per 10,000 residents: 8.6 – Breaches reported: 1 – Most common type of breach: Hacking/IT Incident 41. Nebraska Jacob Boomsma // Shutterstock – People affected per 10,000 residents: 11.2 – Breaches reported: 6 – Most common type of breach: Hacking/IT Incident 40. Connecticut Sean Pavone // Shutterstock – People affected per 10,000 residents: 13.2 – Breaches reported: 7 – Most common type of breach: Hacking/IT Incident 39. Minnesota IMG_191 // Shutterstock – People affected per 10,000 residents: 13.3 – Breaches reported: 6 – Most common type of breach: Hacking/IT Incident 38. Florida AevanStock // Shutterstock – People affected per 10,000 residents: 13.7 – Breaches reported: 23 – Most common type of breach: Hacking/IT Incident 37. South Carolina Susanne Pommer // Shutterstock – People affected per 10,000 residents: 16.8 – Breaches reported: 5 – Most common type of breach: Hacking/IT Incident 36. Maryland Real Window Creative // Shutterstock – People affected per 10,000 residents: 17.1 – Breaches reported: 11 – Most common type of breach: Hacking/IT Incident 35. New Mexico turtix // Shutterstock – People affected per 10,000 residents: 21 – Breaches reported: 1 – Most common type of breach: Hacking/IT Incident 34. Delaware Real Window Creative // Shutterstock – People affected per 10,000 residents: 21.6 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 33. Rhode Island Sean Pavone // Shutterstock – People affected per 10,000 residents: 22.7 – Breaches reported: 5 – Most common type of breach: Hacking/IT Incident 32. Ohio photo.ua // Shutterstock – People affected per 10,000 residents: 24.3 – Breaches reported: 20 – Most common type of breach: Hacking/IT Incident 31. New Jersey Kamira // Shutterstock – People affected per 10,000 residents: 29.1 – Breaches reported: 22 – Most common type of breach: Hacking/IT Incident 30. Georgia Brett Barnhill // Shutterstock – People affected per 10,000 residents: 29.3 – Breaches reported: 17 – Most common type of breach: Hacking/IT Incident 29. Arkansas Eduardo Medrano // Shutterstock – People affected per 10,000 residents: 29.4 – Breaches reported: 4 – Most common type of breach: Hacking/IT Incident 28. Hawaii MNStudio // Shutterstock – People affected per 10,000 residents: 40.9 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 27. Utah Canva – People affected per 10,000 residents: 41.1 – Breaches reported: 4 – Most common type of breach: Hacking/IT Incident 26. Missouri Joe Hendrickson // Shutterstock – People affected per 10,000 residents: 44.5 – Breaches reported: 9 – Most common type of breach: Hacking/IT Incident 25. California Canva – People affected per 10,000 residents: 49.4 – Breaches reported: 31 – Most common type of breach: Hacking/IT Incident 24. Alabama Sean Pavone // Shutterstock – People affected per 10,000 residents: 59.5 – Breaches reported: 5 – Most common type of breach: Hacking/IT Incident 23. Kansas Jacob Boomsma // Shutterstock – People affected per 10,000 residents: 76.2 – Breaches reported: 8 – Most common type of breach: Hacking/IT Incident 22. New York Canva – People affected per 10,000 residents: 81.8 – Breaches reported: 43 – Most common type of breach: Hacking/IT Incident 21. Tennessee CrackerClips Stock Media // Shutterstock – People affected per 10,000 residents: 83.5 – Breaches reported: 11 – Most common type of breach: Hacking/IT Incident 20. Louisiana Canva – People affected per 10,000 residents: 87.4 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 19. North Carolina Derek Olson Photography // Shutterstock – People affected per 10,000 residents: 87.9 – Breaches reported: 18 – Most common type of breach: Hacking/IT Incident 18. Vermont Erika J Mitchell // Shutterstock – People affected per 10,000 residents: 91.8 – Breaches reported: 1 – Most common type of breach: Hacking/IT Incident 17. Oregon Josemaria Toscano // Shutterstock – People affected per 10,000 residents: 94.5 – Breaches reported: 6 – Most common type of breach: Hacking/IT Incident 16. Oklahoma Canva – People affected per 10,000 residents: 97.8 – Breaches reported: 4 – Most common type of breach: Hacking/IT Incident 15. New Hampshire Wangkun Jia // Shutterstock – People affected per 10,000 residents: 116.8 – Breaches reported: 8 – Most common type of breach: Hacking/IT Incident 14. Washington kan_khampanya// Shutterstock – People affected per 10,000 residents: 136.6 – Breaches reported: 18 – Most common type of breach: Hacking/IT Incident 13. Texas kintermedia // Shutterstock – People affected per 10,000 residents: 139.7 – Breaches reported: 40 – Most common type of breach: Hacking/IT Incident 12. Kentucky f11photo // Shutterstock – People affected per 10,000 residents: 140.3 – Breaches reported: 3 – Most common type of breach: Hacking/IT Incident 11. Illinois marchello74 // Shutterstock – People affected per 10,000 residents: 188.5 – Breaches reported: 21 – Most common type of breach: Hacking/IT Incident 10. Montana Jon Bilous // Shutterstock – People affected per 10,000 residents: 196.1 – Breaches reported: 2 – Most common type of breach: Hacking/IT Incident 9. Michigan Gerald Bernard // Shutterstock – People affected per 10,000 residents: 208.6 – Breaches reported: 21 – Most common type of breach: Hacking/IT Incident 8. Arizona Gregory E. Clifford // Shutterstock – People affected per 10,000 residents: 213.2 – Breaches reported: 9 – Most common type of breach: Hacking/IT Incident 7. Pennsylvania Real Window Creative // Shutterstock – People affected per 10,000 residents: 232.8 – Breaches reported: 27 – Most common type of breach: Hacking/IT Incident 6. Indiana KYPhua // Shutterstock – People affected per 10,000 residents: 306.1 – Breaches reported: 14 – Most common type of breach: Hacking/IT Incident 5. Massachusetts lunamarina // Shutterstock – People affected per 10,000 residents: 335.5 – Breaches reported: 13 – Most common type of breach: Hacking/IT Incident 4. Colorado Studio 1One // Shutterstock – People affected per 10,000 residents: 395.8 – Breaches reported: 9 – Most common type of breach: Hacking/IT Incident 3. North Dakota Jacob Boomsma // Shutterstock – People affected per 10,000 residents: 655.2 – Breaches reported: 1 – Most common type of breach: Hacking/IT Incident 2. West Virginia Canva – People affected per 10,000 residents: 703.9 – Breaches reported: 7 – Most common type of breach: Hacking/IT Incident 1. Wisconsin Tony Savino // Shutterstock – People affected per 10,000 residents: 743.2 – Breaches reported: 9 – Most common type of breach: Hacking/IT Incident Data reporting by Dom DiFurio. Story editing by Jeff Inglis. Copy editing by Tim Bruns. Photo selection by Elizabeth Ciano. This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.