Epic is Next: What I've Learned from the 50 Largest Data Breaches and Cyber Attacks on the American Healthcare System

At this point, we should all be at peace with the fact that somewhere across the U.S. healthcare system, our patient data has been compromised, either by hackers or by tech companies selling your data

This image was created by DALL-E.

Welcome to AI Health Uncut, a brutally honest newsletter on AI, innovation, and the state of the healthcare market. If you’d like to sign up to receive issues over email, you can do so here.

Change Healthcare hasn’t been the first hacking attempt on an American healthcare system, and unfortunately, it won’t be the last. At this point, we should all be at peace with the fact that somewhere across the U.S. healthcare system, our patient data has been compromised, either by hackers or through tech companies selling your data to third parties.

On Tuesday, October 10, 2023, at 9:45 pm EST, I received an email from 23andMe stating that some of my genetic data may have been hacked. If this is the same data breach that was reported two months prior, and the company has remained silent towards its customers until now, I have numerous questions—none of which are pleasant.

This email comes nine days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe’s CEO, Anne Wojcicki, was aware the company had been “hacked” two months earlier and never revealed the incident. When it was all sorted out, it was revealed that hackers stole data of 6.9 million users, about half of 23andMe’s customers. (Source: Wikipedia.)

What’s even more disgusting is that 23andMe told victims it was their fault that their data was breached. (Source: TechCrunch.)

Wait, what? Now I have even more questions for 23andMe and the U.S. Federal Trade Commission (FTC).

The state of American healthcare data and network security is at the level of the IT industry 30 years ago. In other words, any mediocre hacker can walk in and disrupt pretty much any U.S. healthcare entity at will.

Why wouldn’t the healthcare industry incumbents and self-proclaimed “leaders”, such as UnitedHealth and Epic, invest in IT security? Because they know it’s an expense that would hit their bottom line and be highly unpopular with their shareholders and the board.

But isn’t there an even larger risk of a cyber security attack that could potentially create enormous financial harm? Corporations only talk dollars, so I don’t even bother mentioning anything else when I’m trying to understand how these companies operate. These behemoths don’t care about cyber attacks. They know they will be bailed out because they’re “too important” to the U.S. economy. This is just like how the largest banks behaved completely irresponsibly and didn’t suffer a bit during the financial crisis of 2008, at the expense of the American taxpayers.

Even if they’re not bailed out, these monopolies will just pass the damages through to their customers. As the Change Healthcare cyber attacks have shown, UnitedHealth would make their business customers hostages by not paying them.

Healthcare corporations know they will come out on top no matter what. So why bother?

I’ve looked at 50 data hacks and data breaches in U.S. healthcare, including the two Change hacks and the 23andMe data breach, and offer common themes and lessons for American healthcare.

If you’re someone like my daughter, who has no issues sharing any of her personal information seemingly with anyone who asks, then you probably sleep very well at night. For the rest of us, these developments are worrisome. The lessons of vulnerabilities in the U.S. healthcare system are critical.

The number of data breaches and cyber attacks in U.S. healthcare has been increasing dramatically. This was perhaps expected, given where we are in the U.S. election cycle:

🛡️ A historic high of 809 healthcare data breaches have been reported in 2023, compared to 707 in 2022, impacting about 1 in 3 Americans. The estimated number of patients affected is 88 million, the highest number on record, which is over double the 37 million in 2022. (Sources: USA Today, Health Exec, Bluefin, Statista, HHS.)

🛡️ The 2023 healthcare data breaches that exposed patient records happened in 49 states, with California topping the list with 43. New York came in second with 42 security incidents, followed by Texas with 38. (Source: Health Exec.)

🛡️ A 2023 report by Immunefi revealed that the top ten ransom payments globally amounted to nearly $70 million in Bitcoin. (Source: Bitcoinist.)

🛡️ In September 2023, the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) published a report highlighting the increasing frequency of ransomware attacks.

🛡️ 2024 is on track to be the worst year on record in terms of data breaches and cyber attacks in healthcare.

These trends are extremely worrisome. It’s not that we can prevent hackers from what they do. We can’t. It’s the fact that healthcare data gatekeepers are unwilling to do anything for patients.

Hopefully, this analysis will help companies, as well as policymakers, to focus on important themes in healthcare security and privacy. It will help us figure out how we can better protect our patients and the medical community overall.

My paid subscribers have the unique opportunity to go backstage and hear the story of these major healthcare breaches and how I discovered these common themes and lessons of the cyber security issues with the American healthcare system.