Cybercriminals Are Targeting Healthcare Organizations: Prevention Steps

CorrectCare Integrated Health, a medical billing, claims administration, and medical services organization that specializes in correctional facility healthcare, will pay $6.49M to settle a data breach class action lawsuit brought against it by consumers who had their personal information compromised in a 2022 data breach.

CorrectCare discovered the data breach in July 2022 and announced the breach in November 2022.

The plaintiffs claimed that CorrectCare failed to protect their personal information from hackers. They alleged that compromised information was collected during medical claims processing.

Individuals identified by CorrectCare as potentially having their data compromised could receive payments.

Under the terms of the settlement, Customers with documented data breach-related losses can receive up to $10,000 in reimbursement for "bank fees, communication charges, travel expenses, professional fees, credit expenses and damages from fraud that occurred between the date of the data breach and Aug. 27, 2024." Other class members may receive an alternate cash payment, the amount of which will vary depending on the number of valid claims filed. "$6.49M CorrectCare data breach class action settlement" topclassactions.com (Jul. 12, 2024).

Commentary and Checklist

Healthcare organizations are often targeted by cyber criminals because they collect a large amount of personal information in the course of providing medical care. In addition, because of the life-or-death aspects of providing healthcare, the criminals know these organizations cannot tolerate shut-downs or other disruptions, making them more likely to pay.

To help prevent a data breach in your organization, it is important to implement the latest cybersecurity best practices.

The Health Sector Council provides cybersecurity objectives to guide health care organizations. They recommend that organizations:
 

  1. "Develop, adopt and demand safety and resilience requirements for products and services offered, from business to business, as well as health systems to patients, with the concept of secure-by-design and secure-by-default";
  2. "Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data";
  3. "Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies";
  4. "Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations";
  5. "Increase incentives, development and promotion of health care cybersecurity-focused education and certification programs";
  6. "Develop health subsector specific integrated cybersecurity profile aligned with regulatory requirements";
  7. "Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks"; and
  8. "Increase meaningful and timely information sharing of cyber related disruptions to improve sector readiness."

"Health Industry Cybersecurity – Strategic Plan (2024–2029)" healthsectorcouncil.org (Feb. 2024).

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Social Media Posts Lead To Malware-Ridden Resumés

Job posting sites have been the unwitting hosts of malware distribution programs. Learn about the risk.

More Malware, Targeting macOS And Phone Apps, Spawns New Employer Cyber Risks

New data disproves the old belief that Mac devices are more secure. Learn about the risk.

Cybercriminals Are "Swatting" Victims To Step Up The Pressure To Pay

Cybercriminals are using threats of "swatting" to gain cooperation with their cyber ransom demands. Learn about the risk.