How U.S. health care providers deal with hundreds of data breaches every year

This story is from The Pulse, a weekly health and science podcast.

Find it on Apple Podcasts, Spotify, or wherever you get your podcasts.

In October 2020, the computers at the University of Vermont Medical Center, which serves around a million people in the region, were not turning on. Staff could not access patient files, like treatment history and test results.

Hackers had encrypted the hospital’s data and demanded the hospital contact them. The hospital called the FBI and shut down their IT network to prevent the damage from spreading. In the meantime, providing care became a major challenge, said neurologist Kaley Kinnamon.

“It was probably (the) most stressful time period I’ve ever had in my life,” she said. “It was really hard because you knew that you weren’t providing the best care that’s available. You didn’t have nearly as much time [with patients] because you were spending so much time doing administrative tasks that are usually managed by the computers.”

She said the staff wrote down notes by hand. That made patient visits longer and created as many as 50 pages of records per patient per day.

“Doctors notoriously have bad handwriting, so it actually made communication much more difficult.”

They had to walk to the lab to get lab results, which meant the results came back slower. In some cases, doctors rely on quick test results to decide what to give a patient, and now they had to do whatever measurements they could by the bedside.

Stephen Leffler, president and CEO of the hospital, told Congress in September 2023 that the attack did not affect patient information, but infected thousands of servers and computers at the hospital. The state government sent a National Guard cybersecurity team to help scan computers for malware.

“The cyber attack was much harder than the pandemic by far,” Leffler said in his testimony.

By and large the hospital and clinics kept running, albeit with some tweaks.

“Early in the cyberattack, the first two days, we didn’t have a phone system because our phone is on the internet. We literally went to Best Buy and bought every walkie-talkie they had,” Leffler said.

The hospital had good backups for all the data and brought the system back after a few weeks.

Now, years after the attack, the hospital has better plans for handling situations like that, said Nate Couture, the hospital’s chief information security officer.

For instance, Couture said they now have the equivalent of an airplane’s black box, so that if another attack happens, they can trace where it came from and how it spread.

Laws have also changed. In 2023, the Food and Drug Administration implemented a rule that says medical device manufacturers have to follow stricter guidelines on how to keep their products secure from hackers.

There have been so many ransomware attacks on hospitals that most are better prepared for them by now, said Pam Dixon, cybersecurity expert and founder of World Privacy Forum.

“I’ve not talked to a health care provider in the recent past that is not fully redundant and has cloud backup, has all sorts of other backup on tapes.” Dixon said. “So, I think ransomware is actually becoming much less effective.”

One report released in 2023 found that almost 60% of health care IT professionals say they restored their data from backups after a ransomware attack, without paying a ransom.

However, it’s not just the immediate concerns about computer systems, providing care for patients under duress, and paying ransom; these attacks can have direct and lasting impacts on patients. For instance, Dixon says hackers still value the contents of medical data as targets: criminals could make thousands of dollars from credit card fraud, versus millions from systematic health information fraud.

She said if hackers get one person’s medical data, they could use it for identity theft. If they get a lot of health care data, they could work with shady doctors to change someone’s medical record, so a patient now has an expensive disease like diabetes or hepatitis C. The shady doctor could tell an insurance provider that they treated the patient for this nonexistent condition.

“The health care provider will then just pocket that money. Meanwhile the patient is sitting at home or wherever and they have no idea this has happened.”

Dixon said patients should sign up for electronic medical records if they can and check their health records once a month or once a quarter to make sure everything looks good. She added that people should not send health records to third party companies like fitness apps, because the more people have access to health records, the more they put their data at risk.