Cyber extortion includes any kind of cyberattack in which a hacker demands money to stop an assault, relinquish control of a computer and/or network, or return stolen information. Attackers use extortion against the healthcare industry because of the worth of protected health information (PHI) to healthcare organizations, their patients, and other cybercriminals. Not surprisingly, financial gain accounts for 90% of cyberattacks in healthcare.
Further reading: What is cyber extortion in healthcare?
HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.
Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.
Cyber extortion occurs when a hacker gains access to a computer system, network, or data within. Once they have control, these criminals try to extort money and demand a ransom payment.
If an individual or organization decides not to pay the ransom, a cybercriminal may keep the data stolen or release it to the public. They can also sell the information to another cybercriminal or keep a system/data encrypted and locked. At the same time, they could still decide to do any of these things even after a victim pays a ransom.
Healthcare organizations are vulnerable to extortion and ransom demands for a variety of reasons and not only because of the value and significance of PHI. The use of fear and urgency is central to the effectiveness of extortion attacks, as victims are pressured to act quickly to avoid consequences. In healthcare, this could mean interrupted services, closed hospitals, and even patient death.
See also: Patient dies due to a ransomware attack
Extortion entails threats and blackmail until a cyberattacker achieves what they want, that is, money. Attackers are even moving to adopt double and triple extortion tactics, exfiltrating and then encrypting data before demanding a ransom and sometimes adding a third layer of pressure.
There are numerous methods attackers can use to get into a system to extort an individual or business. The top methods include:
All utilized methods of attack employ coercion and manipulation. Such attacks do not have to be sophisticated and can instead rely on social engineering to convince someone to make a ransom payment. Social engineering plays with people’s emotions and instincts to take actions not in their best interests.
Extortion attacks occur frequently through email, a simple and largely anonymous attack vector, or through an exposed vulnerability or outdated software. Sometimes the threat is real, while other times it’s a bluff. That doesn’t matter, as either can succeed depending on the person who receives the threat and what they do with it.
First and foremost, cyberattackers target healthcare organizations to gain access to and steal sensitive patient data, such as personally identifiable information (PII), medical records, and financial details. Cybercriminals can then hold the information for blackmail and ransom or sell it to someone else. PHI is among the most valuable type of data on the black market, with records fetching anywhere from $10 to $1,000 per record. This value is driven even higher by the potential for identity theft, insurance fraud, and other forms of financial crime.
Furthermore, healthcare organizations are considered easy targets given their tired, stressed, and overworked staff. At least 85% of data breaches are attributed to individual mistakes. Moreover, providers tend to employ minimal cybersecurity features given their small budgets and focus on patients’ lives rather than information technology. Finally, the healthcare industry has seen an increase in vulnerable medical devices and connected infrastructures, creating more attack surfaces.
Given all this, healthcare providers may be more likely to pay quickly, which hackers understand and focus on. Hospitals typically can’t afford lengthy disruptions and find that there is an urgent need to restore services and mitigate patient risks by paying a ransom price.
Freedman HealthCare is a data and analytics firm serving state agencies, health providers, and insurance companies to build databases. These databases collect PII, including insurance statuses, healthcare claims, and payment data. Earlier this year, the extortion gang World Leaks, formerly known as Hunters International, claimed to have stolen 52.4 GB of data (42,204 files) from the company.
The World Leaks gang set a deadline for Freedman Healthcare to send a ransom, or they would release some of the stolen information. Freedman HealthCare dismissed the claims of PHI theft even though they discovered that they had a security incident in late April; the company did not pay World Leaks anything. While the group released some information, observers noted that no PII was included.
No other information has been released since then, and the investigation is ongoing. Freedman HealthCare is facing a class-action lawsuit, and while the company has decided not to pay, this isn’t a decision every organization can easily make.
Another extortion attack: Clop extortion emails target Oracle E-Business Suite users
The impact of cyber extortion on the healthcare industry can be devastating, from loss of data to loss of patients, which is why many organizations choose to pay. Substantial costs after a data breach and ransom demand include:
If an organization suspects a breach, it should identify and confirm the issue, then take steps to stop the leak of PHI. Healthcare providers need to continuously monitor their systems after a breach for any anomalies and/or strange behavior.
If approached with a ransom demand, healthcare organizations shouldn’t pay. For one thing, it will give a cyberattacker a chance to learn more about an organization and possibly consider striking again. Payment can also encourage a cybercriminal and other cybercriminals to continue to use cyberattacks for extortion.
Healthcare organizations can reduce the impact of extortion breaches by updating and implementing rigorous security measures and conducting thorough security audits and compliance reviews to identify other vulnerabilities. Proper mitigation after a breach can keep patient data from exposure and protect a healthcare organization from committing a HIPAA violation.
After detection and investigation, organizations must also follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to repairing a breach and ensuring it does not occur again.
HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid extortion include:
HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.
Cyber extortionists often exploit vulnerabilities in outdated software, phishing emails targeting employees, or weakly secured remote access points to gain initial access to healthcare networks.
Organizations should avoid engaging directly with the attackers, notify internal security teams, investigate for signs of unauthorized access, and report the incident to appropriate authorities or security vendors.
Clear communication channels should be established in advance to inform patients, staff, and stakeholders about the incident, steps being taken to mitigate it, and any potential impact on services or data.
Organizations must balance legal obligations to protect patient information with ethical considerations regarding the payment of ransoms, seeking legal counsel to work through compliance and confidentiality concerns.