Digital transformation is helping healthcare providers across the globe to become more cost-efficient, while improving standards of patient care. But digitizing healthcare records also comes with some major cyber risks. Once your data is stored on IT systems that can be reached via the internet, it could be accidentally leaked, or accessed by malicious third parties or even insiders.

Medical data is among the most sensitive information we share with organizations. That’s why it’s given “special category” status by the GDPR – meaning additional protections are required. But no organization is 100% breach-proof. That means it’s  more important than ever that you understand what to do in the event your data is compromised – to minimize the fallout.

The worst-case scenario

In the first 10 months of 2023 in the US, over 88 million people had their medical data exposed, according to government figures. The number could be even higher once organizations not regulated by patient privacy law HIPAA are taken into account.

Most notably incidents over recent years include:

  • Change Healthcare, which suffered a major ransomware breach in February 2024. The US healthcare provider not only experienced major operational disruption, but its attackers (Black Cat/ALPHV) also claimed to have stolen 6TB of data during the attack. Although the ransomware group shut down shortly after Change Healthcare paid an alleged $22m ransom, the ransomware affiliate responsible for the attack tried to extort the company again, threatening to sell the data to the highest bidder.
  • Mental health startup Cerebral accidentally leaked highly sensitive medical information on 3.1 million people online. The firm admitted last year that it had for three years inadvertently been sharing client and user data to “third-party platforms” and “subcontractors” via misconfigured marketing tech.

What’s at stake?

Among the medical data potentially at risk is your:

  • Medical insurance policy numbers, or similar
  • Personally identifiable information (PII) including Social Security number, home and email address, and birth date
  • Passwords to key medical, insurance and financial accounts
  • Medical history including treatments and prescriptions
  • Billing and payment information, including credit and debit card and bank account details

This information could be used by threat actors to run up bills on your credit card, open new lines of credit, access and drain your bank account, or impersonate you to obtain expensive medical services and prescription medication. In the US, healthcare records could even be used to file fraudulent tax returns in order to obtain rebates. And if there’s sensitive information on treatments or diagnoses you’d rather be kept secret, malicious actors may even try to blackmail you.

8 steps to take following a data breach

If you find yourself in a worst-case scenario, it’s important to keep a cool head. Work systematically through the following:

1. Check the notification

Read through the email carefully for any signs of a potential scam. Tell-tale signs include spelling and grammatical mistakes and urgent requests for your personal information, perhaps by asking you to ‘confirm’ your details. Also, look out for a sender email address that doesn’t match the legitimate company when you hover over the “from” address, as well as for embedded clickable links which you’re encouraged to follow or attachments you’re being asked to download.

2. Find out exactly what happened

The next critical step is to understand your risk exposure. Exactly what information has been compromised? Was the incident an accidental data exposure, or did malicious third parties access and steal your data? What type of information may have been accessed? Was it encrypted? If your provider hasn’t answered these questions adequately then call them to get the information you need to take the next steps. If it’s still unclear, then plan for the worst.

3. Monitor your accounts

If malicious actors have accessed your PII and medical information, they may sell it to fraudsters or try to use it themselves. Either way, it pays to monitor for suspicious activity such as medical bills for care you didn’t receive, or notifications saying you’ve reached your insurance benefit limit. If financial information has been compromised, keep an eye on bank account and card transactions. Many organizations offer free credit monitoring, which notifies you when there are any updates or changes to your credit reports which could indicate fraud.

4. Report suspicious activity

It goes without saying that you should report any suspicious activity or billing errors immediately to the relevant provider. It is best to do so in writing as well as notifying your insurer/provider via email/phone.

5. Freeze your credit and cards

Depending on what personal information has been stolen, you might want to activate a credit freeze. This will mean creditors cannot access your credit report and therefore won’t be able to approve any new credit account in your name. That will prevent threat actors running up debt in your name. Also consider freezing and/or having new bank cards issued. This can often be done simply via your banking app.

6. Change your passwords

If your log-ins have been compromised in a breach, then the relevant provider should automatically reset them. But if not, it might pay to do so manually anyway – for peace of mind. This will prevent account takeover attempts – especially if you enhance you security by dint of two-factor authentication.

7. Stay alert

If fraudsters get hold of your personal and medical information, they may try to use it in follow-on phishing attacks. These could be launched via email, text, or even live phone calls. The aim is to use the stolen info to add legitimacy to requests for more personal information like financial details. Remain vigilant. And if a threat actor tries to extort you by threatening to expose sensitive medical details, contact the police immediately.

8. Consider legal action

If your data was compromised due to negligence from your healthcare provider, you could be in line for some type of compensation. This will depend on the jurisdiction and relevant local data protection/privacy laws, but a legal expert should be able to advise whether an individual or class action case is possible.

No end in sight

Given that medical records can fetch 20 times the price of credit card details on the cybercrime underground, cybercriminals are unlikely to stop targeting healthcare organizations anytime soon. Their ability to force multimillion-dollar pay-outs via ransomware only makes the sector an even more attractive target. That’s why you need to be prepared for the worst, and know exactly what to do to minimize the damage to your mental health, privacy and finances.