By Dave Carey

Here is a tough question for health care providers: How would you tell your patients that their medical records had been hacked and exposed?

Because as much as you want to think this would not happen to you, the trends in the industry in recent years are not on your side.

If you own or operate a health practice of any kind, you certainly are in possession of a great many patient records. You know how critical it is to keep those records secure, not only because HIPAA demands it but also because you respect your patients and want to ensure their privacy is protected.

When I talk to physician practices, dentist offices, eye doctors, physical therapists and the like, they all say the same thing: “Protecting patient records is a top priority.”

And I believe them.

But I also know something. It was a top priority for Minnesota-based Change Healthcare in 2024, and that didn’t stop more than 192 million patients from having their health records compromised by a hacking incident.

You read that right: One hundred ninety-two million patient records.

That was the largest breach of patient records in history, by far, although it was certainly not the only significant one in recent years. The Kaiser Foundation Health Plan saw 13.4 million patient records exposed in 2024, while Colorado-based Welltok Inc. experienced a breach in 2023 that put 14.7 million patient records in the hands of hackers.

There have been more than 100 breaches in the past several years affecting 1 million or more patients each. And these were attacks against well-established companies who had full-time IT departments and strict HIPAA-compliance policies and procedures.

How Did They Get Hacked?

In simple terms, they got hacked because the methods of cyberattackers become more sophisticated every year. Or I should probably say, every week, because that’s about how often I get updates about a new threat to the data of organizations all across the world.

The health care industry is hardly the only target. From manufacturing to logistics to financial services to law, companies are learning the hard way that bad actors are looking for ways to cripple their enterprises, steal their data and make a hefty profit as a result.

The techniques are becoming increasingly sophisticated, often taking advantage of patches that haven’t been implemented, or deceptive e-mails that trick employees into granting access, or fake web sites that trick people into entering their log-in credentials.

Straightforward Steps: How To Increase Your Security

Some of the steps you can take are fairly straightforward, like requiring multifactor authentication for all users, or teaching employees not to open deceptive emails. Others require a bit more knowledge. I often check to see if a company has activated DMARC records, which are critical to protecting the security of your email system. It’s easy for me to find this out about you and it’s just as easy for the bad guys. But most business owners have never even heard of it, and most haven’t done it.

One of the biggest mistakes the owners of a medical practice can make is to think they are unlikely to be a target because they are too small. That’s not how the cyber world works. Bad guys look to get in wherever they can, and then they exploit the connections they find to reach bigger and better targets. But access to your patient records alone would be enough to make them interested in breaching you if they can.

You can protect yourself, and I help many small businesses do so.

It’s a matter of taking some critical steps and then remaining vigilant about certain things on an ongoing basis. There are no guarantees when the nature of threats keeps changing so quickly, but with the right allies and the right approach you can greatly increase your chances of avoiding a hack.

I don’t want your patients’ records compromised, and I certainly don’t want you to have to deal with the fallout that would result from such an event.

Take it seriously. Reach out. It’s why I’m here. Call me at 616.217.3019 or email dacarey@cybersynergies.io.