Prevalence of Data Breaches at Third Parties and Healthcare Data Breach Victims’ Lack of Interest on Free Credit Monitoring Services

Healthcare providers are spending on cybersecurity to enhance their protection against increasing and more sophisticated cyberattacks. Even with the improvements in an organization’s security posture, it is just as effective as the weakest point.

Cybercriminals are focusing their attacks more on the supply chain since these are typically the weakest links in security. Healthcare providers usually deal with several vendors which are normally given sensitive information or privileged access to healthcare systems. Many of the reported data breaches in 2022 involved business associates, which usually results in affecting a number of healthcare clients. Evaluating and handling supply chain threats is currently one of the major cybersecurity problems in healthcare.

New research done by SecurityScorecard and the Cyentia Institute looked into the reasons for the prevalence of data breaches at third parties and fourth parties. The Close Encounters of the Third (and Fourth) Party Kind report used information from over 230,000 primary companies and 73,000 vendors and solutions utilized by those companies.

Third parties and fourth parties bring in risk. Handling and minimizing those risks to a safe level is a challenge because of the complicated interconnection of third- and fourth-party associations. For instance, one small website code developer company provides code to help know the activities of individuals when visiting a website. Roughly 12,500 companies put that code on their web pages, and 232,000 fourth parties have associations with those companies. Although those 232,000 companies do not deal directly with the company, 98.7% got an indirect, once-removed connection with the website code developer. In the event of a breach of the company’s code, more or less 229,000 organizations may be exposed.

Third and Fourth Parties Tend to Have Poor Security Scores

SecurityScorecard investigated the scope of using third-party vendors. Based on its analysis, companies utilize about 10 third-party vendors on average. In medical care, the average was 15.5 third-party vendors. That figure is dependent on third-party vendors that are seen from outside-in scanning of a company’s Internet-facing infrastructure utilizing the Automatic Vendor Detection of SecurityScorecard. Although these numbers are fairly low, there are substantial fourth-party associations. Every organization usually has indirect associations with 60 to 90 times the number of fourth parties as third parties.

It is very common to have third and fourth-party data breaches. Over 98% of primary companies stated having a business relationship with a vendor that suffered a data breach in the last 2 years, and about 50% of the organizations got indirect associations with no less than 200 fourth-party vendors that suffered a data breach in the last 2 years. Security Scorecard likewise compared the security of first parties to third parties. 38.4% of primary organizations got the highest security rating of A as opposed to 17.7% of third parties. Then, third parties were about five times as likely to get a security rating of F as opposed to primary organizations. A look into fourth parties showed that they were 10x more probable to get a failing security rating than an A. Poor security scores do not always mean that an organization will encounter a data breach. However, according to SecurityScorecard’s analysts, organizations with poor security scores were 7.7% more likely to suffer a data breach.

A lot of companies are still not mindful of the potential exposures that come with third-party relationships. They just focus on managing their own security posture. Others know about those concerns, yet don’t take action based on the vendor’s security. They do not require vendors to satisfy particular criteria. Even companies that do have third-party security requirements still find it difficult to constantly keep track of compliance and development. The good news is that companies are now more attentive to vendor risk. Gartner reported that 60% of organizations now consider cyber risk as an important factor when transacting with third parties.

While cyber actors concentrate their hard work on the supply chain, it is very important to look at third and fourth-party risks. Although this can be a problem, the initial step for a company is to acquire visibility into the whole vendor ecosystem, because, without that visibility, a company cannot correctly evaluate risks and make good decisions. Upon identification of those third and fourth parties, SecurityScorecard recommends the following:

  • assessing those vendors’ security posture
  • engaging with those vendors and assisting them to strengthen their security
  • utilizing automation to regularly keep track of vendors’ cyber risk
  • generating warnings when there are prominent alterations to their security posture
  • helping the organizations to be more proactive and address vulnerabilities well before being exploited

Healthcare Data Breach Victims Tend Not to Take Advantage of Free Credit Monitoring Services

Kroll, a risk and financial advisory company, reported that healthcare is now the most breached sector, according to the number of data breaches the company has assisted with. 22% of the data breaches that Kroll investigated in 2022 happened at healthcare companies. It was just 16% in 2021, registering a 38% increase year-over-year.

Although there is an increase in healthcare data breaches investigated by Kroll, consumers seem to be not as concerned about healthcare data breaches compared to breaches of their financial data. 32% of the phone calls Kroll got were from people affected by healthcare
data breaches as opposed to 49% of calls from people affected by data breaches at financial organizations. The number of phone calls Kroll got from consumers impacted by breaches at financial organizations increased by 127% year-over-year. In spite of the rise in healthcare data breaches, phone calls from consumers about those breaches increased by 19% only.

Persons affected by data breaches at healthcare companies likewise tend not to make the most of the free credit monitoring and identity theft protection services that they are provided. 69% of those who were provided free services after a data breach at a financial organization used those services, as opposed to only 20% of those who were impacted by healthcare data breaches.

Although financial data is important to cyber criminals and is commonly misused, healthcare data breaches also put victims in danger. Whenever personal data is stolen together with driver’s license numbers and/or Social Security numbers, victims are vulnerable to identity theft and fraud, therefore it is shocking that very few healthcare data breach victims take advantage of these services.

It is additionally surprising with the number of legal cases that are currently being filed as a result of healthcare data breaches. It is typical to file several lawsuits after a healthcare data breach, frequently within days or weeks of receiving the notification letters. These lawsuits assert victims face a certain and elevated risk of identity theft and fraud due to the theft of their personal data and protected health information (PHI). The lawsuits frequently argue the limited duration of the provided credit monitoring and identity theft services to victims.

It is worth noticing the increasing breach notification pattern in healthcare of giving little details in breach notifications, therefore data breach victims cannot appropriately evaluate the risk they are facing. For example, breach victims aren’t usually informed about the theft of their data during a hacking incident. They are just told that their data was possibly stolen, or they are not advised that a ransomware group leaked their stolen data online. This may well be a reason why very few healthcare data breach victims make use of these services.

Although the information from Kroll seems to indicate that consumers aren’t very concerned about their healthcare data as much as their financial data in the event of breaches, concern does seem to be increasing. The number of consumers registering for credit monitoring and identity theft services increased by 66% year-over-year after a healthcare data breach. Nevertheless, the increase in people registering for credit monitoring and identity theft services is not as great as in finance data breaches, which was a 126% year-over-year increase.

Knowing the drivers affecting the Data Breach Outlook statistics is opinion-based, and it is essential that businesses merge this information with their own information from speaking with clients and market research.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone