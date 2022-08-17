The data loss aspects of breaches, how much data, and what types of data were lost, are part of what foretells the loss magnitude of that breach and the down-the-line implications that also carry costs.

In the healthcare sector, the 2022 Cost of a Data Breach report has found that nearly half (47%) of the breaches analyzed exposed customer personal data, such as name, contact details, SSN, date of birth, passwords, or healthcare data – representing the most common type of breached record in the report. The unit cost here was USD 172-185 per record with compromised employee or customer PII compared with the global average of USD 164. Multiply this number by the number of lost records, and this one factor alone can amount to millions of dollars before any other costs have been added.

Healthcare data is also the costliest record for cybercriminals to obtain in dark web shops. Unlike a stolen credit card number that can go for a few dollars, healthcare records, and what’s inside them, go for about USD 250 each, and fake birth certificates based on compromised PHI go for at least USD 500 in the dark web. As a highly valuable commodity, personal health information (PHI) is often sold in cybercrime shops alongside other PII, but what makes it so valuable is the amount of data in one record and its extended shelf life. A credit card number can be deactivated and swapped by your bank in minutes, but healthcare data are not the kind you can easily change. If it’s valid now, it’s valid tomorrow, and even years down the line.

The amounts of healthcare data that trickled into underground markets grew considerably during the COVID era, when attacks on hospitals increased to pressure them into paying extortion fees. PHI is most often used for identity theft and for obtaining services and accounts in the name of the victim. While it’s not readily usable like a payment card, it’s been an enabler of insurance fraud, tax return fraud, financial fraud, identity theft, and more. In some cases, this data was sold openly via mobile chat apps and fraudster forums. So how does this impact breach costs for healthcare providers? Lawsuits and class actions that drag through the legal system for years. As an examples, the 2015 OPM data breach is only now (2022) settling class action suits that are costing an additional USD 63 million in settlements for the individuals whose data was compromised.

Unfortunately, stealing data is not the only way cybercriminals cause long-term damage in the healthcare sector. Cybercriminals also sell access to compromised networks and assets within hospital networks, monetizing backdoors and malware implants they share with other criminals, which can be the root cause of additional breaches and ransomware extortion down the line.