Medical data safeguards fail as 50 million patient records exposed in 3 months

Sarah Mills | GlobalBeat

Scientists warned US lawmakers that half of all medical research databases lack basic encryption, leaving millions of patient records vulnerable to cyberattacks.

The alarm came during testimony before the House Committee on Energy and Commerce Tuesday, where researchers revealed that 50 million health records were breached between January and March alone. Dr. Karen DeSalvo, former national coordinator for health information technology, told the panel that current safeguards are “decades behind” the threat level facing hospitals and research institutions.

“Every week we see another major hospital system knocked offline,” DeSalvo said. “Patients miss chemotherapy appointments. Surgeries get postponed. This isn’t just about data anymore — it’s about lives.”

The committee hearing followed a ransomware attack on Ascension, the nation’s largest nonprofit hospital system, which forced clinicians to revert to paper records across 140 hospitals in April. The incident marked the 11th major health system breach this year, according to data from the Department of Health and Human Services.

Dr. Eric Perakslis from Duke University’s Margolis Center for Health Policy testified that most medical devices still run on outdated software systems. He traced the problem to a 2009 federal mandate that pushed hospitals to adopt electronic health records without requiring minimum cybersecurity standards.

“When Congress spent $35 billion digitizing healthcare, we created a massive attack surface without building corresponding defenses,” Perakslis said. He noted that some MRI machines still operate on Windows XP, an operating system Microsoft stopped supporting in 2014.

The financial toll is mounting. The Ponemon Institute pegged the average cost of a healthcare breach at $10.9 million in 2023, up 8% from the previous year. For smaller rural hospitals, such expenses can prove fatal. Twelve hospitals filed for bankruptcy following cyberattacks last year, according to the American Hospital Association.

Rep. Cathy McMorris Rodgers, the committee chair, pressed witnesses on why the Health Insurance Portability and Accountability Act (HIPAA) isn’t preventing these breaches. DeSalvo responded that HIPAA was written in 1996, before cloud computing or artificial intelligence existed.

“The law assumes data stays in one hospital basement. Now your MRI scans might travel through 5 countries before your doctor sees them,” DeSalvo said.

International implications emerged as Dr. Gemma Galdon-Clavell from Eticas Policy Research testified about medical tourism. She revealed that Americans traveling abroad for cheaper procedures often have no legal recourse when foreign clinics mishandle their data.

“A hip replacement in Thailand might cost $12,000 instead of $40,000, but your medical records could end up for sale on the dark web,” Galdon-Clavell said. She presented screenshots from dark web marketplaces where complete medical histories sell for $250 per record.

The researchers proposed several immediate fixes: mandatory encryption for all health data within 18 months, federal insurance requirements for medical device manufacturers, and automatic security updates for connected devices. They also called for criminal penalties for executives who knowingly hide data breaches.

Rep. Frank Pallone questioned whether such requirements would burden smaller practices. Dr. John Halamka, president of Mayo Clinic Platform, argued that cloud-based security services have made enterprise-grade protection affordable.

“A 3-doctor practice can now get the same cybersecurity used by Fortune 500 companies for about $500 per month,” Halamka said. “The cost of a breach averages $400 per patient record. Do the math.”

The testimony revealed particular vulnerabilities in medical research. Dr. Monica Bertagnolli, director of the National Institutes of Health, admitted that 60% of NIH-funded studies use data that could identify individual patients. She pledged to require encryption for all new grants starting in 2026 but couldn’t retrofit existing studies without additional funding.

“Some of our cancer databases are 20 years old. Updating them would cost billions we don’t have,” Bertagnolli said.

Background

Healthcare data breaches have surged 93% since 2018, according to HHS records. The first major incident occurred in 2015 when Anthem disclosed that hackers accessed 78.8 million records. That breach exposed names, birth dates, social security numbers, and medical IDs but went undetected for months.

The problem intensified during COVID-19 as telemedicine expanded rapidly. A 2022 HHS report found that 1 in 5 Americans had their medical data exposed online. Unlike credit card numbers, medical records contain permanent information like genetic markers or mental health diagnoses that cannot be reissued.

What’s Next

The committee plans to mark up the Healthcare Cybersecurity Act next month, which would authorize $800 million over 5 years for hospital security upgrades. The bill faces an uncertain path in the Senate, where some Republicans oppose new federal mandates on private hospitals. Committee staff told GlobalBeat they hope to pass legislation before the August recess but acknowledge the timeline may slip amid broader budget negotiations.

Medical data safeguards remain woefully inadequate as hackers increasingly target the $4.5 trillion healthcare sector. The researchers’ testimony made clear that without immediate action, the next major breach could paralyze healthcare delivery nationwide rather than just compromise records.