Getty Images

Third-Party Data Breach Victims Double, Healthcare Most Targeted

A Black Kite report revealed the increasing level of impact third-party had on select industries, with healthcare as the most targeted sector.

While the number of total third-party breaches slightly dipped in 2022, the attacks impacted nearly twice as many victims, wreaking havoc on the healthcare industry more than any other sector, Black Kite’sThird-Party Breach Report found.

Researchers compiled their findings from a subset of data focused on 63 individual third-party incidents, which created a ripple effect of breaches throughout 2022.

Almost 63 attacks on vendors caused third-party breaches impacting almost 300 data breach victims. The level of breach impact increased in the last year as there were 4.73 affected companies per vendor in 2022 compared to 2.46 companies per vendor in 2021.

“One could easily speculate that hackers are conducting smarter attacks, aiming for more initiatives that garner a higher number of victims from a single strike,” the report stated.

“It is of no surprise that over time, the threat actor community has learned to make the most of each attack, hence pivoting to more profitable business models. Ransomware, in particular, RaaS (ransomware as a service,) are business models that have ramped up over the last few years.With the impact of third-party breaches doubling this year, understanding even a vendor's basic cyber posture is an important part of the equation.”.

Researchers linked the increased number of victims to the domino effect that occurs when one third-party breach poses a risk to other connected vendors, a notion also known as cascading risk. Specifically, the researcher described the term as the “chain of causality that emerges when risk and accumulated vulnerabilities connect to increase the chance of attack.”

What’s more, unauthorized network access was the primary cause of the most third-party data breaches, setting off nearly 40 percent of the analyzed breaches. Ransomware was the second most cited cause for breaches, initiating 29 percent of attacks, a rate that has fallen slightly since 2021.

“Unauthorized network access is often more complex than it sounds and usually comes with social engineering attacks, primarily phishing. The unauthorized parties access network credentials through phishing, stolen credentials, vulnerabilities in access control, or a combination of these,” the report noted.

“Unfortunately, the remote work model that has become prevalent with the pandemic is one of the key enablers for such attacks. Companies should stick to periodic cyber security training for such attacks in the IT department and their employees in other departments.”

Third-party breaches pose a significant risk to many sectors, including technology and software, but the healthcare sector was the most impacted by third-party breaches in 2022.

Rising from the previous year, the healthcare sector was targeted by close to 35 percent of all analyzed third-party attacks. In 2021, 33 percent of the attacks that caused breaches were in the healthcare sector.

“One of the main events that caught hackers’ attention to healthcare was Covid-19. While everyone in the world concentrated on the health sector, tremendous data began to pile up within the healthcare realm,” the report stated.

“Regulations like HIPAA and GDPR are very strict on how to handle the data, due to the high risk. However, the heavy sanctions for breaches of personal health information (PHI) have only attracted more attention to this sector.”

The vulnerability of the healthcare sector makes it the perfect target for third-party data breaches. With the healthcare sector’s minimal budget, patient data sharing capabilities, increasing interconnectedness, and outdated software allow for multiple avenues to infiltrate and gain access to patient data.

While the data included in this study was limited, several other reports also concluded that the rising rates of data breaches are hitting the healthcare sector more than others.

As previously reported, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors, highlighting a need for better third-party risk management.

Next Steps

Dig Deeper on Cybersecurity strategies