Once you understand the catastrophic impact of healthcare cybercrime, you might start to worry about your own healthcare security risks. If not, you should.
News of medical data cyberattacks keeps on coming. From January to May of this year, we have seen an average of 29 significant events per month.
What is a Healthcare Data Breach
A data breach allows unauthorized persons — usually criminals — to access files that are stored on health service providers’ computer systems. Those records can include any or all of the following:
- patient’s name, address, and email address
- banking and payment method information
- Social Security numbers
- medical history, including information on procedures
- medical images
- prescription history
- insurance information
- drug-testing results
- medical staff certification and employment information
- spousal and dependant information
- emergency contact information
Exploring how widespread the problem is will be the focus of this special article.
The Cost of Healthcare Cyber Security Attacks
Security breaches in healthcare systems is nothing new. But that doesn’t make them any less costly.
2018 has already seen a 16.4% increase in the cost of healthcare data security breaches compared to last year. The average cost per attack? $3.86 million.
Healthcare information security is becoming a hot topic for consumers. A healthcare security report indicated that 38% of those surveyed are concerned about the security of their medical records. If you are among them, our research will do nothing to reduce your fears.
In this article, we have compiled a list of some of the top healthcare information security breaches of all time.
Not surprisingly, few companies included in our list claim that wrongdoing on their part contributed to their patients’ data being compromised. And they may be right. One thing they all agree on is the need for better protection mechanisms securing our medical data.
Top 50 Healthcare Security Breaches of All Time
HealthEquity reported in April that 23,000 of its accounts had been compromised.
The breach resulted from a successful email phishing attack, which allowed the hacker to access company emails.
While the affected files did not contain medical data, other sensitive information was available to the hacker. The names of company employees, Social Security numbers of employees, member IDs, deduction amounts, and account details were compromised.
2. Medicaid (Florida)
In November, a massive hack compromised 30,000 non-medical records for Medicaid patients in Florida.
The healthcare security breach was traced to a phishing email received — and acted upon — by an employee.
3. BJC HealthCare
In January, a misconfigured BJC HealthCare server made 33,420 patients’ records accessible without protection on the Internet.
There was no indication that any Protected Health Information (PHI) data was accessed, but a healthcare security services investigation could not rule it out.
4. ATI Physical Therapy
In January of this year, ATI Physical Therapy discovered a security breach that possibly compromised the records of more than 35,000 patients.
By accessing employee email accounts, the attacker changed employee direct deposit information. Further investigation revealed the hacker also accessed tens of thousands of emails containing patient PHI data.
5. Holland Eye Surgery & Laser Center
In March of this year, Holland Eye Surgery & Laser Center saw something bad. A breach in their network had allowed a hacker access since June of 2016.
In the course of 30 separate intrusions, the hacker accessed more than 42,000 patient records. CSV files containing the stolen data had been sold on the Dark Web.
6. Aultman Health
Aultman Health has become yet another victim of email phishing.
Between February and March of this year, hackers potentially accessed data from 42,600 patients. The breach involved compromising staff email accounts, which contained patient data.
7. Coplin Health Systems
Coplin Health Systems reported in November that 43,000 patient files had been compromised.
A laptop containing the data was stolen from an employee’s vehicle. While the computer was password protected, the data had not been encrypted.
8. Golden Heart Administrative Professionals
Medical billing provider Golden Heart Administrative Professionals reported in July that a ransomware attack had affected more than 500 of its clients. Records of more than 44,000 individuals were compromised.
While not all patient files were encrypted, the company said it must assume that all patient data was compromised.
9. Blue Springs Family Care (Missouri)
Missouri-based Blue Springs Family Care reported a breach in March of this year. The intruder successfully infiltrated the company’s entire system, gaining access to patient records.
All of the usual patient data was accessed, although it is too early to know if any of it has been misused.
10. Onco360 and CareMed Specialty Pharmacy
In November of last year, Onco360 and CareMed Specialty Pharmacy determined that
PHI data for more than 53,000 patients had been accessed by a hacker.
The actor gained access to the data through three compromised email accounts. There was no indication that any of the data had been misused.
11. Children’s Mercy Hospital
According to an Children’s Mercy Hospital report to the Office for Civil Rights (OCR), more than 63,000 patient records were exposed through an email phishing attack earlier this year.
Hackers accessed patient names and clinical data through a hacked email account.
12. Middletown Medical
A misconfigured radiology interface at Middletown Medical exposed 63,551 patient records to the machine’s users in January of this year.
Unauthorized users could have potentially accessed the affected patient records through the interface.
Data that was exposed included patient names, birthdates, treatment details. and client identification numbers. The diagnosis codes, radiology images, and radiology reports of a limited number of patients were also included.
13. East Valley Community Health Center
In October of 2016, a hacker breached the login portal of East Valley Community Health Center, and installed ransomware on one of its servers.
The ransomware, named Troldesh/Shade, compromised a large number of files.
One of those files contained patient account data, including one that contained patient names, addresses, medical record numbers, birthdates, insurance account numbers, and diagnosis codes.
14. Salina Family Healthcare Center
In June of last year, Kansas-based Salina Family Healthcare Center became yet another victim of ransomware.
15 company servers and 33 desktop computers were infiltrated, prompting the clinic to mail notices to 70,000 health and dental patients, notifying them that their data may have been compromised.
Canadian CarePartners reported in June of this year that patient and employee financial information had been “inappropriately accessed by the perpetrators”.
According to the hackers, themselves, the ransomware attack was made possible by vulnerabilities in software that had not been updated in two years. Nor was the data encrypted.
16. Washington University School of Medicine
A successful phishing attack breached the email system at Washington University School of Medicine.
The attack, discovered by the clinic in January of this year, exposed the medical records and Social Security numbers of 80,270 patients.
17. Owensboro Health Muhlenberg Community Hospital
Owensboro Health Muhlenberg Community Hospital suffered from a malware attack in September of 2015, although computers might have been infected as early as January of 2012.
The keylogging malware allowed hackers to view patient, employee, and contractor records.
18. Center for Orthopaedic Specialists
Center for Orthopaedic Specialists learned firsthand the risks posed by ransomware.
In February of this year, an unidentified cyber criminal accessed the company’s server and encrypted PHI data for 85,000 patients.
An investigation did not detect that any of the data had been copied.
19. Boys Town National Research Hospital
Boys Town National Research Hospital revealed in July that employee information and patient data had been potentially accessed by unauthorized persons.
According to the hospital, an employee’s breached email account possibly exposed more than 105,000 records to hackers. There has been no indication that any of the information has been misused.
20. McLaren Medical Group
In March of 2017, a hacker accessed a McLaren Medical Group system database.
An investigation by the clinic verified that the perpetrator accessed the PMI records of seven people. They could not rule out that the records of more than a 106,000 patients were not also breached.
Patient’s basic account information, diagnoses, and Social Security numbers were possibly available to the hacker.
21. Arkansas Oral & Facial Surgery Center
A July 2017 ransomware attack locked down patient records at the Arkansas Oral & Facial Surgery Center.
The affected files included patient account information, medical records, and Social Security numbers, among other data.
22. St. Peter’s Surgery and Endoscopy Center (New York)
According to St. Peter’s Surgery and Endoscopy Center, malware compromised the data of 134,512 patients.
Company officials detected the infiltration the same day it occurred — January 18, 2018. It was unclear if the fast response prevented any records from being accessed.
23. NHS Digital
In a statement released in July, NHS Digital revealed that 150,000 of U.K.’s National Health Service patients may have had their data shared without the patients’ consent.
NHS, healthcare IT provider for the U.K.’s healthcare system, said a coding error resulted some patients’ data being shared, even though they had “opted out” of sharing their data. The records were inadvertently made available for research and clinical planning as far back as 2015.
24. Advantage Dental
Oregon dental network, Advantage Dental, was the target of a February 2015 intrusion. Advantage sent notices to patients, informing them that their records may have been involved.
No financial or medical information was exposed, but patient names, addresses, birthdates, phone numbers, and Social Security were accessed by the hacker.
25. Med Center Health
In March of last year, Kentucky-based Med Center Health reported a breach affecting the data of 160,000 patients.
A former employee is blamed for stealing patients’ PHI data before leaving the company.
26. Emory Healthcare
A ransomware attack at the end of 2017 wiped clean an Emory Healthcare database.
The hackers used the Harak1r1 0.2 Bitcoin Ransomware to access workflow records, affecting the files of over 200,000 patients.
The cyberthieves demanded 0.2 bitcoin in exchange for returning the data.
Human error at MedEvolve exposed the records of 205,000 patients. The medical practice software vendor accidentally left its FTP server accessible without the need for login credentials.
The July 2018 incident made account information for two medical institutions accessible to anyone on the web.
28. Beacon Health System
In March 2015, patients and employees of two Beacon Health System facilities were notified that their data was compromised.
The phishing attack began in November of 2013, allowing the attacker to access medical records and other sensitive information.
29. Med Associates
In June of this year, New York-based Med Associates had a data breach. The health billing company believes the hacker accessed PHI records of up to 270,000 patients.
A compromised company computer was identified as the targeted device.
30. Medicaid (Oklahoma)
In November, Oklahoma State University Center for Health Sciences revealed that records from 279,865 Medicaid patients had been accessed by a hacker.
By infiltrating one of the institution’s servers, the perpetrator accessed Medicaid billing information.
31. The Women’s Health Care Group of Pennsylvania
The Women’s Health Care Group of Pennsylvania found a server and a workstation infected with ransomware in May of this year.
Cybercriminals had been probing their way through the system since January of 2017, accessing patient medical records and Social Security numbers in the process.
32. LifeBridge Health
Baltimore-based LifeBridge Health fell victim to an internal network vulnerability. The hacker accessed the company’s server through the computer of one if its physician practices.
The breach, which took place in September of 2016, compromised non-medical data of half a million patients.
33. Airway Oxygen
Airway Oxygen, an oxygen therapy equipment provider, detected a breach of its customer database in April.
Although the company’s antivirus software detected the ransomware attack, account information for more than half a million customers was exposed to hackers.
34. Peachtree Orthopedics
Peachtree Orthopedics of Atlanta announced a breach of their computer system in September of 2016.
The account information accessed by the hackers included patients’ names, addresses, email addresses, and for some, prescription information and Social Security numbers.
35. Bon Secours Health System
In April of 2016, Bon Secours Health System patients’ PHI data was exposed unprotected to the Internet.
The error occurred when a data services vendor, R-C Healthcare Management, misconfigured their network.
36. UnityPoint Health
In August of this year, UnityPoint Health, of Des Moines, Iowa, reported to 1,400,000 patients that their medical records had been compromised.
A series of successful phishing emails allowed the perpetrator to access medical records, as well as insurance and payment information.
The personal profiles of 1.5 million patients in Singapore were breached in July of this year.
Although no financial or medical information was compromised, personal profile and prescription data was exposed to the hacker, including those belonging to Prime Minister Lee Hsien Loong.
38. 21st Century Oncology
In November of 2015, 21st Century Oncology Holdings was notified by the FBI that it was investigating a breach into the company’s database.
The company, which operates a chain of cancer treatment centers, said it had no indication that patient PHI data had been misused.
39. NewKirk Products
Healthcare ID card provider NewKirk Products experienced a relatively simple, but devastating, hack in May of 2016.
The breach involved a single server, which contained the names, addresses, dependant names, primary care physician names, plan types, birthdates, member and group ID numbers, Medicaid ID numbers, and premium invoice information.
The data of more than three million insurance card holders was stolen.
40. Banner Health
Banner Health could not be lucky enough to just have their patients’ medical records hacked. The perpetrator, here, even took credit card and ATM card information from food and drink purchases made in their cafeteria.
This advanced hack breached computers containing POS data, and computers hosting medical records.
41. Horizon Healthcare Services
New Jersey-based health provider Horizon Healthcare Services was required to pay $1.1 million for failing to protect the privacy of 690,000 policy holders.
The announcement by the state Attorney General in February of 2017 was in response to two laptops that had been stolen from the company’s headquarters.
The AG said the laptops contained unencrypted policyholder information, in violation of the law.
42. Medical Informatics Engineering
Medical Informatics Engineering detected a sophisticated intrusion into its servers in May of 2015. Personal identity information, medical records, patient login credentials, and even spousal information was accessed.
Like other companies whose security has been breached, MIE offered credit monitoring to its nearly four million affected customers.
43. Advocate Health Care
In July of 2015, Advocate Health Care of Chicago fell victim to one of the largest healthcare breaches of all time. Four laptops were stolen from their administrative building. Medical records of four million patients were on them.
The provider agreed to pay more than $5 million in settlements to those whose records were stolen.
44. Community Health Systems
Community Health Systems, which operates 206 hospitals, experienced a major data breach in 2014. An investigation indicated Chinese government ties to the perpetrators.
CHS believes no medical information was compromised, but other patient policy information was available to the hackers.
45. University of California, Los Angeles Health
The University of California, Los Angeles Health System (UCLA) is no small potato. The institution is one of the largest and most well-respected healthcare providers in the U.S. Even so, they fell prey to hackers in 2015, when a hacker accessed a major database.
An investigation revealed that the perpetrator spent a year probing the system. In 2015, they hit paydirt. A database containing PHI data of 4.5 million patients and staff was copied.
Even the medical records of military personnel are not immune from healthcare data breaches. Science Applications International Corp., a vendor for Tricare Management Activity insurance company, had backup tapes of patient data stolen in September of 2011.
The backup tapes, which were stolen from a SAIC employee’s vehicle, contained sensitive patient information from approximately 4.9 million patients.
47. Excellus BlueCross BlueShield
New York healthcare provider Excellus reported that as many as 10 million patients were compromised by a hack that started in 2013.
Compromised were patients’ names, addresses, telephone numbers, birthdates, policy numbers, financial account data, and claim information.
48. Premera Blue Cross
In January of 2015, one of the largest health insurance providers in the U.S. Pacific Northwest discovered a breach affecting up to 11 million customers.
Investigation revealed that the system breach began as far back as May of 2014, and was possibly the work of Chinese state-sponsored hackers.
Although Premera said there was no indication that data was removed from their system, the intruder had access to customer’s most sensitive information. Patient names, clinical records, bank account information, Social Security Numbers, birthdates, and other data was all exposed to the prying eyes of cybercriminals.
Only some of the data was believed to be encrypted.
49. Anthem Inc.
Anthem Inc., the second largest insurance provider in the U.S., was successfully targeted by a phishing scheme that began in February of 2015.
The healthcare data breach resulted in the infiltrator accessing employees’ and members’ records.
The company believes nation-state actors were behind the attack, which impacted 90 systems within the company’s network.
Headquartered in Burlington, North Carolina, the mammoth medical testing provider
LabCorp was targeted by ransomware on July 14th of this year.
115 million patient records were potentially compromised. Hackers accessed data by breaching the company’s network security.
What the LabCorp Data Breach Means
Labcorp may — for now — have the unfortunate distinction as the company with the greatest number of files potentially exposed during a single data breach. This does not suggest they did not have solid data security in place.
You bet they did.
What LabCorp’s cyberattack means to the healthcare industry raises a far more important question: If one of the world’s largest and most responsible healthcare service providers can fall victim to cybercrime, what does that mean for the future of the healthcare industry?
The answer lies in AI-based protection mechanisms that nestle data within robust blockchains. If LabCorp’s hack leads the industry to adopt such solutions, then maybe it will mark the turning point in the war on cybercrime.
Medical records are increasingly in the crosshairs of cybercriminals. Few targets have higher value. Keeping patient data safe is crucial to not only the financial well being of billions of people, but to their health, also.
If securing medical data is in your crosshairs, you will need a technology partner to make it happen. That’s why Ignite should matter to you.
We provide world-class development of cutting-edge solutions, including those you will need to tap the market.
Why not contact us for a no-cost consultation?