This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
States most impacted by health care data breaches in 2022
It starts with an often-paralyzing attack on computer systems. Doctors scramble to notify patients awaiting surgery that their procedures have been delayed due to a ransomware attack.
Sometimes a single cyberattack can impact hospitals across multiple states, as was the case when hackers targeted CommonSpirit Health in October 2022. Just one reported case of ransomware has allegedly led to the death of a patient. More often, patients' sensitive information is served up to a market of seedy individuals around the world ready to cash in on someone else's identity.
Drata analyzed Department of Health and Human Services data to determine which states felt the largest impacts due to health care data breaches in 2022. The total number of individuals affected by all health care data breaches in each state reported to HHS was normalized as a rate per 10,000 people. Data was not available for Alaska, Idaho, and Washington D.C.
The HITECH Act, signed into federal law in 2009, requires companies to report the breach of protected health information affecting 500 or more people to HHS. Around 38.5 million people in total were affected in some way by the incidents reported to HHS last year. Unfortunately, the data does not make it possible to know how many people may have been affected by more than one breach.
Health care institutions are among the most targeted businesses in the world, chiefly because they hold such sensitive information about the patients they serve. Hospitals, home health agencies, and other institutions store patients' phone numbers, Social Security numbers, addresses, and other things that would allow any would-be criminal to pose as a patient and open new credit cards or bank accounts in their name.
In fact, roughly 44% of all reported identity theft in 2022 resulted in a fraudulent credit card account being opened, according to Federal Trade Commission data. The agency received a record number of fraud reports in 2021, with the total fraud reports for 2022 coming in on par with 2020. The years 2020 and 2021 marked an important pivot in how consumers shared their personal information, with the adoption of digital banking and retail shopping driven to modern highs as a result of the COVID-19 pandemic.
In 2022, the FBI's Internet Crime Complaint Center received millions of complaints of cybercrime with losses totaling $10.3 billion. It can take time—even years—for personal information compromised in a data breach to be used for a crime that brings the event to the attention of the FBI.
But the pandemic also drove a rise in cyberattacks on hospitals and other health care businesses. And a good deal of that sensitive information begins its journey into nefarious hands when a hacker illegally accesses information at a health care institution.
Hacking and IT incidents dominate reasons sensitive information was breached at health care organizations in 2022
Sometimes an employee's oversight in crafting an email with the wrong link or attachment can allow unauthorized access to private information, as happened in Wisconsin's Department of Health and Human Services last year. However, the vast majority of data breaches at these companies happen through hacking and IT incidents.
Most often, hackers accomplish this with malware that locks up the data until the victim organization pays the attacker a ransom. The federal government recommends against paying ransoms because companies cannot guarantee that a copy of the data won't be sold to criminals anyway after the ransom is paid, and therefore paying is thought to encourage more of the behavior.
In the top five states where the largest portion of the population was impacted by data breaches at health care organizations last year, all most commonly saw data breaches resulting from hacking.
48. Mississippi
- People affected per 10,000 residents: 0.4
- Breaches reported: 1
- Most common type of breach: Unauthorized Access/Disclosure
47. Iowa
- People affected per 10,000 residents: 0.5
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
46. Wyoming
- People affected per 10,000 residents: 2.8
- Breaches reported: 1
- Most common type of breach: Unauthorized Access/Disclosure
45. Virginia
- People affected per 10,000 residents: 6.3
- Breaches reported: 20
- Most common type of breach: Hacking/IT Incident
44. South Dakota
- People affected per 10,000 residents: 7.4
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
43. Nevada
- People affected per 10,000 residents: 8.1
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
42. Maine
- People affected per 10,000 residents: 8.6
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
41. Nebraska
- People affected per 10,000 residents: 11.2
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
40. Connecticut
- People affected per 10,000 residents: 13.2
- Breaches reported: 7
- Most common type of breach: Hacking/IT Incident
39. Minnesota
- People affected per 10,000 residents: 13.3
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
38. Florida
- People affected per 10,000 residents: 13.7
- Breaches reported: 23
- Most common type of breach: Hacking/IT Incident
37. South Carolina
- People affected per 10,000 residents: 16.8
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
36. Maryland
- People affected per 10,000 residents: 17.1
- Breaches reported: 11
- Most common type of breach: Hacking/IT Incident
35. New Mexico
- People affected per 10,000 residents: 21
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
34. Delaware
- People affected per 10,000 residents: 21.6
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
33. Rhode Island
- People affected per 10,000 residents: 22.7
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
32. Ohio
- People affected per 10,000 residents: 24.3
- Breaches reported: 20
- Most common type of breach: Hacking/IT Incident
31. New Jersey
- People affected per 10,000 residents: 29.1
- Breaches reported: 22
- Most common type of breach: Hacking/IT Incident
30. Georgia
- People affected per 10,000 residents: 29.3
- Breaches reported: 17
- Most common type of breach: Hacking/IT Incident
29. Arkansas
- People affected per 10,000 residents: 29.4
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
28. Hawaii
- People affected per 10,000 residents: 40.9
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
27. Utah
- People affected per 10,000 residents: 41.1
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
26. Missouri
- People affected per 10,000 residents: 44.5
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
25. California
- People affected per 10,000 residents: 49.4
- Breaches reported: 31
- Most common type of breach: Hacking/IT Incident
24. Alabama
- People affected per 10,000 residents: 59.5
- Breaches reported: 5
- Most common type of breach: Hacking/IT Incident
23. Kansas
- People affected per 10,000 residents: 76.2
- Breaches reported: 8
- Most common type of breach: Hacking/IT Incident
22. New York
- People affected per 10,000 residents: 81.8
- Breaches reported: 43
- Most common type of breach: Hacking/IT Incident
21. Tennessee
- People affected per 10,000 residents: 83.5
- Breaches reported: 11
- Most common type of breach: Hacking/IT Incident
20. Louisiana
- People affected per 10,000 residents: 87.4
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
19. North Carolina
- People affected per 10,000 residents: 87.9
- Breaches reported: 18
- Most common type of breach: Hacking/IT Incident
18. Vermont
- People affected per 10,000 residents: 91.8
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
17. Oregon
- People affected per 10,000 residents: 94.5
- Breaches reported: 6
- Most common type of breach: Hacking/IT Incident
16. Oklahoma
- People affected per 10,000 residents: 97.8
- Breaches reported: 4
- Most common type of breach: Hacking/IT Incident
15. New Hampshire
- People affected per 10,000 residents: 116.8
- Breaches reported: 8
- Most common type of breach: Hacking/IT Incident
14. Washington
- People affected per 10,000 residents: 136.6
- Breaches reported: 18
- Most common type of breach: Hacking/IT Incident
13. Texas
- People affected per 10,000 residents: 139.7
- Breaches reported: 40
- Most common type of breach: Hacking/IT Incident
12. Kentucky
- People affected per 10,000 residents: 140.3
- Breaches reported: 3
- Most common type of breach: Hacking/IT Incident
11. Illinois
- People affected per 10,000 residents: 188.5
- Breaches reported: 21
- Most common type of breach: Hacking/IT Incident
10. Montana
- People affected per 10,000 residents: 196.1
- Breaches reported: 2
- Most common type of breach: Hacking/IT Incident
9. Michigan
- People affected per 10,000 residents: 208.6
- Breaches reported: 21
- Most common type of breach: Hacking/IT Incident
8. Arizona
- People affected per 10,000 residents: 213.2
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
7. Pennsylvania
- People affected per 10,000 residents: 232.8
- Breaches reported: 27
- Most common type of breach: Hacking/IT Incident
6. Indiana
- People affected per 10,000 residents: 306.1
- Breaches reported: 14
- Most common type of breach: Hacking/IT Incident
5. Massachusetts
- People affected per 10,000 residents: 335.5
- Breaches reported: 13
- Most common type of breach: Hacking/IT Incident
4. Colorado
- People affected per 10,000 residents: 395.8
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
3. North Dakota
- People affected per 10,000 residents: 655.2
- Breaches reported: 1
- Most common type of breach: Hacking/IT Incident
2. West Virginia
- People affected per 10,000 residents: 703.9
- Breaches reported: 7
- Most common type of breach: Hacking/IT Incident
1. Wisconsin
- People affected per 10,000 residents: 743.2
- Breaches reported: 9
- Most common type of breach: Hacking/IT Incident
Data reporting by Dom DiFurio. Story editing by Jeff Inglis. Copy editing by Tim Bruns. Photo selection by Elizabeth Ciano.