Through June of 2023, there were 1221 publicly reported ransomware attacks against healthcare providers in the United States. But, how many more ransomware attacks were there that we don’t know about? That is where section 13402(e)(4) [PDF] of the HITECH Act. Section 13402(e)(4) states:

(4) POSTING ON HHS PUBLIC WEBSITE.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Basically, any time there is a breach involving the Protected Health Information (PHI) it has to be reported to the US Department of Health and Human Services (HHS) and the HHS Secretary has to report it on the Breach Portal.

One of the nice things about the HHS Breach Portal is that it is publicly searchable and you can filter by “Hacking/IT Incident.” Unfortunately, the portal doesn’t get more granular than that, so we don’t know how many of these “Hacking/IT Incidents” were ransomware attacks, though we can often reverse engineer the entries to see if we can find reporting since part 2 of that same section states:

(2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

Healthcare organizations impacted by breaches have 60 days to report the incident to HHS and then HHS takes some time to post it to the portal, so there is often a serious delay. Even as I write this, mid-October there are likely breaches from the first half of 2023 that have not made it to the portal.

Still, the data can be illuminating:

The numbers rise pretty dramatically from 2020 to 2021 and leveled off a bit in 2022. As of right now, they’ve dipped a bit in 2023, but given delays in reporting they will likely shoot up (for example, running the same search for January 1st through October 15th of 2023 list 413 “Hacking/IT Incidents”). In fact, since there were only 64 publicly reported ransomware attacks through June 30th of 2022, I expect the number will increase significantly.

My point in writing about this is that I think, for all its flaws, the HHS reporting portal is a good model for what government cyber incident/ransomware reporting should look like (the Maine portal is another excellent example). Making reported data like this publicly searchable helps keep consumers informed, but also helps researchers better understand the scope of the problem. I definitely think there are changes that need to be made to the HHS portal, but it is a good start and the changes only need to be incremental from there.