Think Kate Middleton’s data-privacy fiasco is bad? US hospitals are under cyber-siege

Our medical data could be leaked as easily as the Princess of Wales. Here’s how to protect yourself

By Rae Hodge

Staff Reporter

Published March 22, 2024 8:15AM (EDT)

Catherine, Princess of Wales smiles during her visit to Sebby's Corner on November 24, 2023 in Barnet, England. (Frank Augstein - WPA Pool/Getty Images)
Catherine, Princess of Wales smiles during her visit to Sebby's Corner on November 24, 2023 in Barnet, England. (Frank Augstein - WPA Pool/Getty Images)

Data privacy officials in the United Kingdom are currently investigating a privacy breach that impacted the Princess of Wales, Kate Middleton, after three hospital workers reportedly sought access to the royal’s private medical information. But her majesty's medical privacy problems are all too familiar for many in the United States, where one in three people were impacted by a health-related data breach last year.

The Associated Press reported last month that one cybersecurity analyst counted 46 attacks on hospitals in 2023, compared with 25 in 2022, accounting for an astonishing 133 million US patient records exposed last year. And hackers are making more money per cyberattack, with average payouts jumping from $5,000 in 2018 to $1.5 million last year.

“Unless governments do something more meaningful, more significant than they have done to date, it’s inevitable that it’ll get worse,” the analyst said. 

The Department of Health and Human Services, however, said total health care hacks climbed to 725 last year, their highest on record. As reported by USA Today, the worst of the hacks (the top 20 in which at least 1 million records were exposed) the vast majority targeted hospital contractors and medical vendors. Around 2.3 million Medicare beneficiaries — along with tens of millions of people in 2,000 companies, government agencies and universities — had data exposed when a Russian ransomware group hacked US government software created by a federal contractor, according to the Centers for Medicare and Medicaid Services.

“Unless governments do something more meaningful, more significant than they have done to date, it’s inevitable that it’ll get worse.”

Following a massive cyberattack on a Chicago pediatric hospital on Jan. 31, officials from the US Department of Homeland Security likewise issued a warning: cyberattacks are growing quickly and hospitals are being targeted, along with doctors, medical vendors and other health care companies. More recently, HHS is currently investigating the massive Feb. 21 breach of a UnitedHealth Group subsidiary that likely exposed millions of patients’ sensitive data.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the HHS Office for Civil Rights said in a statement last week.

Three things the US could do to protect data privacy

Although controversial legislative efforts to ban TikTok have captured much of the nation’s attention, the more effective data-privacy move by Congress came this week as lawmakers in the House unanimously passed a bill barring third-party data brokers from selling your data to the US’ geopolitical adversaries, like Russia and China. As reported by Gizmodo, the Protecting Americans’ Data from Foreign Adversaries Act (H.R. 7520) cleared the House Wednesday on a 414-0 vote and is now headed for the Senate. 

Want more health and science stories in your inbox? Subscribe to Salon's weekly newsletter Lab Notes.

The bill also bolsters previous efforts by the Federal Trade Commission to shore up sensitive health data — barring brokers from selling or sharing information like your precise geolocation data, genetic data and private emails and texts.

The Biden administration and Environmental Protection Agency are also moving to shore up state-level defenses while warning that “disabling cyberattacks” are hitting critical US water and waste systems, along with power grids. The administration has also recently pushed for better privacy-risk labeling on consumer smart-home devices and tech.

What you can do to bolster your data privacy

1. Verify a breach

If you’d like to check whether one of your email addresses has been compromised in a data breach or hack, you can visit haveibeenpwned.com and enter your email address in the site’s search bar. The site’s owner and creator, security expert Troy Hunt, has provided this free service since 2013, and the site can verify your email address against a database of nearly 8 billion compromised accounts.

2. Use credible, open source privacy tools

When you finally get tired of having to keep track of (and routinely reset) dozens of passwords, consider installing open-source password manager Bitwarden in your browser. Usually, free privacy and cybersecurity tools are inadvisable, but Bitwarden is the exception. Offering the strongest free-tier service among competitors and compatible with nearly any browser, Bitwarden has nearly no learning curve and offers convenient instructions on importing your list of saved passwords.

3. Use decoy accounts and contaminate your data

Any time you’re entering your name into a website to sign up for a new service or place an order, use two things: a fake identity and email account (to the maximum extent allowable by law), and contaminated data. The fake identity bit is self-explanatory. Contaminating the data is simple: While entering your information into any online form, put the name of the website or service you’re using into the field set aside for a middle name. For instance, if I start receiving junk mail and spam from random companies and it’s addressed to “Rae Amazon Hodge,” I’ll know exactly what company sold me out.

By Rae Hodge

Rae Hodge is a science reporter for Salon. Her data-driven, investigative coverage spans more than a decade, including prior roles with CNET, the AP, NPR, the BBC and others. She can be found on Mastodon at @raehodge@newsie.social. 


Related Topics ------------------------------------------

Cyberattack Cybersecurity Digital Rights Explainer Health Privacy