Healthcare Data Breaches: Personal Data Compromised – Technologist

Two major healthcare organisations, Gryphon Healthcare and Tri-City Medical Centre, recently revealed significant data breaches, collectively affecting more than 500,000 individuals. These breaches highlight the ongoing risks to sensitive patient data and the critical need for robust cyber security measures within the healthcare industry, where cyber criminals often target personal and medical information.

Gryphon Healthcare’s Data Breach: Impact on Nearly 400,000 Patients

Gryphon Healthcare, a Houston-based billing services provider, is notifying 393,358 individuals of a significant breach involving a third-party partner. The breach, discovered on August 13, 2024, allowed unauthorised access to sensitive patient data managed by Gryphon on behalf of one of its partners.

According to the company’s disclosure to the Maine Attorney General’s Office, the compromised data includes names, addresses, dates of birth, Social Security numbers, treatment details, medical record numbers, health insurance information, and other sensitive medical data, including prescription and diagnosis details. This comprehensive set of personal health information (PHI) is precious to cybercriminals, often sold on the dark web or used for fraudulent activities like identity theft or insurance fraud.

Despite the exposure of such sensitive data, Gryphon has stated that there is no evidence so far to suggest that the stolen information has been misused. However, the full scope of the breach and the potential long-term risks remain concerning.

Gryphon Healthcare offers 12 months of complimentary identity theft protection services, including credit monitoring, insurance reimbursement policies, and recovery services for all affected individuals to mitigate these risks. These measures aim to provide immediate support to those whose data was compromised. However, concerns about the adequacy of a one-year protection window have been raised, as data misuse could extend beyond this timeframe.

Tri-City Medical Center’s Year-Old Breach Finally Disclosed

Tri-City Medical Center, a full-service, acute-care public hospital based in Oceanside, California, has also disclosed a significant data breach affecting 108,149 individuals. The breach originated from a cyberattack in November 2023, disrupting several hospital systems. While the hospital’s response followed typical procedures for handling a ransomware incident, the organisation did not initially disclose the whole nature of the attack or its impact.

It wasn’t until late September 2024—nearly a year after the breach—that Tri-City determined personal information had been compromised during the attack. This included names and other vital identifiers that could be used to target individuals in future fraud schemes. Although Tri-City has not confirmed the exact nature of the cyberattack, in December 2023, the ransomware group Inc Ransom claimed responsibility, posting Tri-City Medical Center on its Tor-based leak site.

As with Gryphon, Tri-City Medical Center offers those affected by the breach free identity protection services, including credit monitoring and identity recovery options. However, the delay in notification raises questions about the effectiveness of the hospital’s incident response and the potential consequences for individuals whose data was exposed months earlier.

Cybersecurity Challenges in Healthcare

These breaches are part of a growing trend in healthcare, where cyberattacks have become increasingly common due to the high value of PHI and the sector’s struggle to keep pace with evolving cybersecurity threats. Both incidents underscore the vulnerabilities in healthcare systems, particularly regarding third-party vendors and service providers that handle sensitive data.

In Gryphon Healthcare’s case, the breach originated from a third-party partner, highlighting the inherent risks of outsourcing essential services like medical billing. Such third-party breaches have become a significant concern in healthcare, as they expose patient data across multiple layers of service providers, sometimes complicating the responsibility for securing that data. Healthcare organisations often rely on vendors to manage large volumes of patient information, but these relationships can create additional entry points for cyber criminals.

Tri-City Medical Center’s breach also points to the potential long-term impacts of cyber attacks that are not fully disclosed or understood until months after the attack. This delayed notification raises concerns about the hospital’s cyber security practices and ability to promptly detect and respond to sophisticated attacks. For healthcare providers, the challenge lies in defending against attacks and effectively communicating with patients when their data has been compromised.

The Rising Threat of Healthcare Data Breaches

The healthcare industry remains a prime target for cyber attacks, with ransomware, phishing, and third-party breaches among the most common tactics used by threat actors. In 2023 alone, the U.S. Department of Health and Human Services reported over 700 breaches affecting more than 50 million individuals. Attackers are drawn to healthcare data because it contains rich, comprehensive information that can be monetised or leveraged for future attacks.

Gryphon Healthcare and Tri-City Medical Center are just the latest healthcare institutions victimised by data breaches. These incidents further demonstrate the necessity of investing in stronger, more resilient cybersecurity infrastructures, particularly in areas like third-party risk management, endpoint security, and incident response protocols.

What’s Next for Affected Individuals?

The immediate concern for individuals impacted by these breaches is identity theft and fraud. With information such as Social Security numbers and health insurance details exposed, those affected must remain vigilant, monitoring their financial accounts, credit reports, and any suspicious activity that may arise in the coming months.

While Gryphon Healthcare and Tri-City Medical Center offer temporary identity theft protection services, patients are urged to take proactive steps to secure their personal information, including freezing their credit and updating passwords on any potentially compromised accounts.

What do the recent data breaches mean?

The recent data breaches at Gryphon Healthcare and Tri-City Medical Center are stark reminders of the growing cyber threats facing the healthcare industry. As the frequency and sophistication of attacks increase, healthcare providers must prioritise cyber security at all levels, from internal systems to third-party partnerships, to protect the sensitive personal data entrusted to them by patients. For the individuals affected, the road to recovery may be long, and the impacts of these breaches could be felt for years to come.