(WXYZ) — Hospital systems are being targeted by cyber hackers at an alarming rate with a goal of stealing millions of patients' sensitive records.
Statistics show the rate doubled from 2022 to 2023, and this year is expected to get even worse.
From here in metro Detroit to other parts of the country, a range of cyber attacks have led to growing concerns for hospital patients.
“As we’re going more the way of cyber and everything going out onto the web and everything, it doesn’t surprise me," said Herb Hayden, whose family member was victimized.
For Hayden, the threat of a cyber attack comes with the potential for great harm that can turn into a real life nightmare. A family member of his recently had their identity stolen, which compromised their sensitive, personal information.
"Someone has stolen your identity, then the onus is on you to prove it wasn’t you. We had a challenge to show we never had a residence in this place or a utility in our name," said Hayden.
Just last year, we saw a staggering number of cyber attacks targeting hospital systems across the country and right here in metro Detroit.
"Thousands of patients and those patient files will contain their address, date of birth, social security numbers, all the pertinent information hackers can use to exploit for illicit purposes," said Andy Bartnowak, a retired FBI supervisor.
Bartnowak is talking about the attack that led to more an a million Corewell Health patients being informed by mail that their info had been compromised in another cyber attack.
In this case, a third party vendor suffered a data breach, exposing social security numbers, names, billing info and more.
So, what can hospitals do to protect patients in a better way?
He says better training for staff on what to watch out for when it comes to phishing schemes along with more security and improved policy are crucial.
"Either it’s an it issue where policy wasn’t followed or it’s human error," said Bartnowak.
In total, two cyber attacks on Corewell Health took place in December alone.
Other Michigan hospitals were also targets in late 2023, and outside Michigan, hackers forced a Tennessee-based hospital to shut down ERs as patient records were held for ransom.
“I think it’s very troubling. If you have to shut down any emergency room whatever the size, you are basically putting patients' lives at risk because you can’t treat them and they need immediate treatment," said Bartnowak.
Citing the cybersecurity research institution Poneman Institute, a 2023 healthcare report shows roughly 88% of health care companies experienced at least one cyberattack in the last year, costing millions on average.
Bartnowak says hackers can bank on hospitals paying a ransom and what they’re stealing is becoming more valuable on the dark web with individual records selling for as much as $250.
“I don’t think a patient in a hospital setting can protect themselves any more than they already are, that is on the part of the hospital it and infrastructure," said Bartnowak.
He advises, "before you open that email, if it doesn’t look right, click on the email address and if that isn’t the actual address to the company, that’s a bad email and don’t ever open it up.”
He says the more hospitals pay, the more ransomware groups become emboldened, which is why people must have credit monitoring and identity protection set up before becoming a patient.
In part of a statement, a spokesperson for Corewell Health telling us: “the privacy of our patients is a top priority … like most health care organizations, we work with vendors who offer specialized services or expertise. Both of our vendors that were affected last year (HealthEC, LLC, and Welltok, Inc.) conducted thorough reviews to determine who was impacted and what data might have been accessed. Both vendors alerted our team.”
When we asked Hayden how confident he is that his information is going to be secure as a patient, he responded: “that confidence level would be down. Now, are they getting my financial information, but also whatever confidential health information I have.”
Hayden fears the problem could be even worse than it seems, that's why he’s warning others to remain vigilant.
“It doesn’t surprise me. We are hearing about ransomware attacks on large corporations and small corporations. These are only the ones we hear about and some smaller organizations are paying hundreds of thousands to get their data back,"said Hayden.
Credit card monitoring and identity restoration are among the services provided for those impacted. Patients are urged not to wait, in the event of a data breach.
