Welcome back to this third and last part of the Cyber Attack Statistics 2022 series. In this series, we uploaded a global cyber attacks database into Gigasheet. It was fun to watch Gigasheet automatically determine data types and parse the data for viewing.
The processed database contained more than 300 major data breaches originally compiled by Wikipedia communities from reliable resources using nearly two decades of data starting from the early 2000’s. You can gain view-only access to the publicly shared database as an anonymous user without authentication. Alternatively, you can join thousands of individuals and teams by creating a free Gigasheet account and employ arithmetic, enrichments, value lookups, and various other data management functions.
In Part 1, we presented a high-level overview of significant cyber attacks. Historical data revealed that the healthcare industry was the greatest target for malicious actors.
In Part 2, we looked at the most commonly exploited attack surfaces and studied organizations at all levels (public and private) with the largest Personally Identifiable Information (PII) and Protected Health Information (PHI) data exposure.
We conclude by diving into the Healthcare industry and some of the more recent attacks.
Cyber Attack Statistics in the Healthcare Industry
Now, let’s get our feet wet and put the healthcare industry under the spotlight. U.S. Department of Health and Human Services hosts a data breach portal documenting breaches of unsecured protected health information affecting 500 or more individuals. According to the government data, healthcare data breaches are on the rise with a clear trajectory.
The figure below displays the yearly breakdown of significant cyber attacks in the healthcare industry since the early 2000s. With a quick glance, the histogram shows that 2015 and 2011 were two of the most catastrophic years for the healthcare industry with 6 and 7 major data breaches, respectively.
In essence, this chart misses an important metric, which is the total number of PHI data exposed. I believe you’ll agree with me that a “combined” plot showing both the number of leaked sensitive data and the number of incidents demonstrates a more meaningful picture of the data breach landscape. No worries! Gigasheet’s visualization toolbox includes the “combination chart” option where you can mix and match a few graphs together without writing a single line of code.
Yearly breakdown of significant cyber attacks in the healthcare industry
The combination plot below reveals interesting outcomes. As opposed to our earlier observation, 2011 was not the most devastating year for the healthcare industry. Even though 7 major incidents (the highest count!) took place in 2011, more than 52% of PHI breaches took place in 2015 as a consequence of 6 cyber attacks. Similarly, 2019 took the podium as the second-most disastrous year with PHI data of nearly 27 million individuals leaked following 3 major data breaches. In 2011; however, relatively less PHI was breached even though a record number of cyber attacks took place.
Combined plot of yearly breakdown of exposed PHI and histogram of data breaches in the healthcare industry
Now, I’d like to zoom in to 2019 and focus on some of the recent cyber attacks in the healthcare industry:
- Secur Solutions Group, a third-party vendor for the Health Science Authority in Singapore, unintentionally stored sensitive PII of over 800,000 blood donors in a public database without any Password Policy.
- Sensitive PHI, including national health card numbers, and sensitive PII, including login IDs and passwords, of 15 million patients of Lifelabs were compromised. The company later admitted to paying the perpetrators a ransom (Oh No #StopRansomware! I don’t know if they tried the FBI's Internet Crime Complaint Center first). Several parties have filed lawsuits against the company, demanding more than $1.1 billion in compensation. This unfortunate incident was a good reminder of the Unnecessary Data Collection vulnerability.
- Malicious actors gained access to Quest Diagnostics’ nearly 12 million patients’ billing and medical data (excluding lab results) through a data breach at a third-party vendor due to Insecure Data Storage. A multistate investigation resulted in a $21 million fine, which was later suspended due to the company’s financial situation.
I hear you, you are curious about the worst healthcare data breach documented in our dataset! Fujie Wang, an alleged member of a Chinese hacker group, was believed to be the perpetrator of the cyber attack on Elevance Health (rebranded from Anthem). In this attack, sensitive PHI and PII, including names, dates of birth, medical IDs, social security numbers, residence addresses, email addresses, and employment information with income data, of nearly 80 million customers were compromised. The company agreed to pay $115 million to settle class action lawsuits in the largest HIPAA settlement in history. This incident itself was the primary reason for the spike of the total count of leaked PHI in 2015.
Final Words About the Publicly Shared Cyber Attacks Database
I hope you’ve enjoyed this Cyber Attack Statistics 2022 series. I could have explored different aspects of the entire dataset and highlighted other interesting cyber crimes such as the RBS WorldPay hack in 2008. I bet this incident has a great potential to inspire Hollywood producers. Sergei Nicolaevich Tšurikov (an Estonian hacker) and his team exploited encryption vulnerabilities, compromised debit cards, and withdrew $9 million from over 280 cities in less than 12 hours! The main perpetrator was sentenced to 11 years in prison and ordered to pay $8.4 million in restitution.
The good news is that there are many more engaging data breaches for us to dig into. For instance, are you curious to know if we can use this Cyber Attack Statistics Dataset to gauge the Cyber Warfare future trends? If it sounds like something you are interested in, give Gigasheet a try today and start exploring the cyber attacks dataset yourself. Please remember it is Free Forever!
The ease of a spreadsheet with the power of a database, at cloud scale.
