Forty million Americans were affected by health data breaches in 2019 — a 65-percent increase from 14 million in 2018.

The Fortified Health Security 2020 report, titled The State of Cybersecurity in Healthcare, compiled annual data from 2009 through 2019 and found last year was the highest number recorded since 2015 when 113.27 million records were exposed — an increase of 84 percent from 17.4 million in 2014.

For the first time ever, more than 400 healthcare organizations reported a breach of 500+ patient records in a single year, says the report. Despite continued efforts to make improvements, the report notes that many enterprises still struggle to stay in front of cybercriminals due to limited budgets, human capital challenges and alert fatigue. 

Through the first 10 months, the number of reported breaches increased 38 percent compared to the same period last year. In total, over 429 entities have reported a major breach so far, which already eclipses the 371 entities impacted in all of 2018. This equates to more than 40 million individuals impacted by these reported breaches. The organization expects the number of entities reporting a breach to surpass 480 by the end of 2019, the report says.

Additional findings:

  • Hacking has been the leading cause of reported breaches since 2016 and this year, for the first time, hacking caused the majority of all reported events at 59 percent, continuing a steady rise since 2014. 
  • According to reported breach data, the attack vector most often used by cybercriminals in healthcare this year was email. Since 2014, the percentage of breaches involving email has increased to over 40 percent. This represents a significant jump since 2014, and this trend is not likely to slow down.

Fortified Health Security predicts 2020 to include:

Double-digit increase in breaches: Healthcare will experience a 10-15 percent increase in the number of entities breached over 2019, with providers being the most targeted and exploited segment.

Continued cybersecurity technology vendor investment and consolidation: Given the amount of investment and focus on threats related to IoT, further consolidation in IoT cybersecurity is expected.

Email as the attack vector of choice: As in prior years, bad actors will continue to use sophisticated phishing campaigns to target and exploit healthcare organizations.

Investment in advanced endpoint technologies: Healthcare organizations will make additional investments in endpoint security technologies to secure the threat landscape at the edge. Remember to consider how your organization will operationalize this technology to extract the most value and maximize protection.