Companies that process payments for physician groups, hospitals and other healthcare providers are more vulnerable to hacks, information system breaches and ransom demands than their peers in other segments of the industry, cybersecurity professionals warn. 

In a report last month, cybersecurity firm Critical Insight noted that two fintechs were hit with ransomware attacks since July 1, exposing financial and healthcare data from almost three million patients. The two breached fintechs were revenue-cycle management vendor Practice Resources LLC of Syracuse, New York, and accounts receivable manager Professional Finance Company, of Greeley, Colorado. 

The fact that the IT systems at two fintechs were breached in the space of two months may indicate that data breaches, security hacks and ransom demands targeting fintechs represent a shift in criminal strategy, said Mike Hamilton, founder and chief information security officer at Bremerton, Washington-based Critical Insight. The reason: fintechs process payments for client customers that manage extensive financial and healthcare data from patients, but also financial data from payers and providers, he explained in an interview. 

“This is an efficiency move that ramps up revenue while reducing risk for the criminals,” Hamilton added. Rather than hitting 25 hospitals for patients’ records and ransom demands, hackers can breach the fintechs that serve those more than two dozen hospitals and steal patient and financial data from them, he said. 

Healthcare fintechs face the potential of a federal investigation if any data breach exposes patients’ personal health information, Hamilton commented. 

Under the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, federal regulators established national standards for protected healthcare information (PHI), to assure that data wasn’t disclosed without patients’ consent. When any PHI is improperly disclosed, the Office of Civil Rights of the federal Department of Health and Human Services investigates the breach and publishes the name of the hacked company, the number of patients affected, and the date of the breach on what’s known in the industry as the “wall of shame.”

That site shows that 942,138 patients’ records were exposed to hackers who breached the network server at Practice Resources on Aug. 4 and that more than 1.9 million patients’ records were hacked in a breach of a network server at Professional Finance on July 1. 

Russell Teague, vice president of advisory services of Fortified Health Security, a cybersecurity company in Franklin, Tenn., echoed Hamilton’s take, and went a bit further. “We’ve seen threat actors starting to target third-party providers that process payments for healthcare organizations,” he said. “They don't seem to be focused so much on getting patient data because what they're really after is getting the money into their own hands versus where it needs to go.”

Research from Sophos, a cybersecurity company in Burlington, Massachusetts, confirmed Hamilton and Teague’s comments generally with respect to the healthcare industry. Its June report, “State of Ransomware in Healthcare 2022,” showed an increasing threat of cyber attacks in healthcare, The percentage of healthcare organizations reporting ransomware attacks last year in healthcare almost doubled to 66%, up from 34% in 2020 Sophos said. 

Not only are the number of cybersecurity hacks increasing, the costs of breaches are climbing too. In July, IBM Security, a cybersecurity consulting company in Cambridge, Massachusetts, reported in its annual “2022 Cost of Data Breach Report” that in 2021 the cost of IT security breaches in healthcare rose for the 12th straight year. 

The average cost of a healthcare breach jumped by almost $1 million since 2021 to a record high of $10.1 million this year, the highest among all industries that the company researched, according to IBM Security. The $10.1 million is more than twice as high as the $4.35 million global average cost of a data breach for all industries surveyed, the firm said.