Cybercriminals intensify attacks on health care

May 31, 2024

Presented by

Driving The Day

A laptop displays a screen shot of a ransomware attack.

Cyberattacks targeting hospitals and other health care providers and facilities are on the rise. | Mark Schiefelbein/AP | AP Photo

MILLIONS HIT IN 2024 — Sixty-nine more health care data breaches have occurred in the first quarter of 2024 than in the same period in 2023, according to HHS data.

In all, 226 breaches in the first three months of 2024 compromised health data for 17.2 million patients compared with 157 breaches during the same period in 2023, which compromised the data of 17.6 million patients, per a preliminary review of the latest data of breaches from the HHS Office for Civil Rights.

The data includes a cyberattack at Concentra Health Services in January that exposed nearly 4 million individuals and attacks at INTEGRIS Health and Medical Management Resource Group, LLC, with each impacting nearly 2.4 million people, according to a POLITICO analysis of OCR’s data.

Why this matters: In recent attacks, cybercriminals have held hospitals, health plans, and providers hostage by withholding access to their data — forcing some to pay millions of dollars in ransoms or divert ambulances away from their hospitals.

The upsurge in reported data breaches in the first quarter of this year follows a sharp increase in recent years and has spurred Congress to call UnitedHealth Group’s CEO to testify on the Hill after a February attack on the group’s ChangeHealthcare subsidiary. And some health care companies have hired outside cybersecurity consultants from Silicon Valley for help recovering from an attack.

HHS’ data doesn’t yet include the massive Change Healthcare attack. Andrew Witty, UnitedHealth Group’s CEO, told Congress that he estimates a third of Americans’ information was compromised in that attack. It also doesn’t reflect an April hack at the Catholic nonprofit Ascension, which caused issues accessing patient records across its hospitals. Ascension has said it’s been able to restore some electronic health record access but continues to work to restore the remainder of its systems.

How we got here: Cybersecurity experts have told Pulse that the health care sector is behind other industries in boosting its cybersecurity — even as federal authorities warn that foreign hackers are targeting the sector.

HHS released voluntary cybersecurity goals for hospitals last year, but it plans to mandate certain practices in the coming years.

OCR responds: OCR Director Melanie Fontes Rainer told Pulse that covered entities need to invest more in their preventive care before a breach happens, adding that more and more health information is being stored electronically.

“We know from our enforcement that covered entities sometimes don’t even do basic things like a risk analysis,” Fontes Rainer told Pulse. “They might be making themselves an attractive target for [attacks] and making their patients' privacy and data vulnerable.”

But OCR’s enforcement under HIPAA kicks in only after a breach, Fontes Rainer said, and the office has relied on encouraging entities to voluntarily improve their cybersecurity and has offered tools and education to help them do so.

“My interest is in driving as much voluntary compliance as possible because it’s not possible for me to go in and preemptively catch all these things, and it’s not possible to prevent them all,” she said.

WELCOME TO FRIDAY PULSE. We hope your first weekend of June is lovely! I want to spend it at this waterfront pizza bar. Send your tips, scoops and feedback to ccirruzzo@politico.com and bleonard@politico.com and follow along @ChelseaCirruzzo and @_BenLeonard_.

A message from PhRMA:

The 340B drug pricing program is supposed to help vulnerable patients access medicines at qualifying hospitals and clinics. It’s meant to be a safety net for those who really need it. So why is the 340B program padding profits for large hospitals, PBMs and chain pharmacies? Let’s fix 340B so it can help the patients that need it most. Let’s fix 340B.

AROUND THE AGENCIES

Two people walk inside a Medicare Services office.

A new report says that CMS needs to improve its Medicare oversight when it comes to paying for certain braces. | Spencer Platt/Getty Images

BRACE WASTE — Medicare paid $5.3 billion for foot braces between 2014 and 2020, but a government watchdog says CMS needs to do a better job of ensuring the braces are going to patients.

Orthotic braces are among the top medical equipment with the highest improper payment rates, according to an HHS Office of Inspector General report. In its review of CMS’ oversight of the braces, the inspector general found issues, including some providers ordering braces for their enrollees with no history of a prior relationship, new suppliers popping up in areas with known Medicare fraud and Medicare paying private payers more for the braces.

“Adequate CMS oversight is critical in ensuring that Medicare enrollees continue to have access to and receive medically necessary braces,” the report said.

The OIG recommends that CMS increases its oversight, such as by:

— Identifying providers who had ordered braces without a prior patient relationship and deciding whether action must be taken

— Ensuring Medicare payments are comparable to non-Medicare payments for braces

— Educating suppliers on telemarketing practices for braces

CMS didn’t say whether it agreed with the recommendations but said it has worked to reduce improper payments related to the braces.

THE GOLD STANDARD OF HEALTHCARE POLICY REPORTING & INTELLIGENCE: POLITICO has more than 500 journalists delivering unrivaled reporting and illuminating the policy and regulatory landscape for those who need to know what’s next. Throughout the election and the legislative and regulatory pushes that will follow, POLITICO Pro is indispensable to those who need to make informed decisions fast. The Pro platform dives deeper into critical and quickly evolving sectors and industries, like healthcare, equipping policymakers and those who shape legislation and regulation with essential news and intelligence from the world’s best politics and policy journalists.

Our newsroom is deeper, more experienced and better sourced than any other. Our healthcare reporting team—including Alice Miranda Ollstein, Megan Messerly and Robert King—is embedded with the market-moving legislative committees and agencies in Washington and across states, delivering unparalleled coverage of health policy and the healthcare industry. We bring subscribers inside the conversations that determine policy outcomes and the future of industries, providing insight that cannot be found anywhere else. Get the premier news and policy intelligence service, SUBSCRIBE TO POLITICO PRO TODAY.

A FOCUS ON AGING — HHS released a framework for its eventual best practices recommendations Thursday to support the nation’s aging population.

“The rapidly growing population of older adults creates an urgent need for thoughtful planning and coordinated action to strengthen the systems that support health and wellbeing as we age,” Alison Barkoff, principal deputy administrator of the Administration for Community Living, said in a statement.

Why it matters: More than 55 million people in the U.S. are 65 and older, with that age demographic expected to grow in the next 30 years.

Thursday’s report, created with input from experts from an interagency committee, which includes HHS, the USDA and HUD, will eventually turn into national recommendations on aging for federal, state and local officials. It has four main focuses: creating age-friendly communities, coordinating housing and supportive services, increasing access to long-term services and aligning health care services.

Within those focuses, the report calls for prioritizing the caregiving workforce, improving access to Medicaid long-term care services and promoting behavioral health services for older adults.

What’s next? The report authors will consult with stakeholders across the nation for input on the national recommendations in the coming months.

A message from PhRMA:

Mental Health

U.S. OUTPACES OTHERS IN MENTAL HEALTH CONCERNS — U.S. adults have the highest rate of suicide and significantly higher mental health needs than adults in nine other high-income countries, according to a new analysis out today.

Researchers at the Commonwealth Fund analyzed survey results from adults in the U.S., Australia, Canada, France, Germany, the Netherlands, New Zealand, Sweden, Switzerland and the United Kingdom.

Why it matters: Mental health concerns have risen globally in the past few years.

Researchers found that Australian and U.S. adults are most likely to report mental health needs, defined as having a diagnosis of depression, anxiety or another mental health condition or receiving counseling or treatment within the past 12 months.

Black Americans with mental health needs are also the most likely to report multiple chronic conditions, take multiple prescription drugs regularly and have at least one social need, which includes food or housing insecurity.

Nearly all countries surveyed struggle with ways to improve social support for people with mental health needs — to varying degrees. According to researchers, half of Black and Hispanic adults in the U.S. and more than half of all adults in France with mental health needs reported at least one social need, compared with 1 in 5 adults in Germany.

DON’T MISS POLITICO’S ENERGY SUMMIT: The future of energy faces a crossroads in 2024 as policymakers and industry leaders shape new rules, investments and technologies. Join POLITICO’s Energy Summit on June 5 as we convene top voices to examine the shifting global policy environment in a year of major elections in the U.S. and around the world. POLITICO will examine how governments are writing and rewriting new rules for the energy future and America’s own role as a major exporter. REGISTER HERE.

WHAT WE'RE READING

POLITICO’s David Lim and Marcia Brown report on a third human case of avian flu.

POLITICO’s Nick Reisman reports that New York officials are weighing a commission to probe the state’s Covid-19 response.

The Associated Press reports that Guillan-Barre syndrome is “more common than expected” in some older adults who get the respiratory syncytial virus shot.

A message from PhRMA:

Hospitals that participate in the 340B program contract with more than 33,000 pharmacies to dispense the program’s drug prescriptions. More than 40% of these pharmacies have financial ties to one of the three largest PBMs – CVS Health, Express Scripts and OptumRx. 340B hospitals and the PBM-owned pharmacies they contract with are profiting off discounted medicines while uninsured patients are left paying full price for their medicines. Let’s fix 340B so it better helps patients.