- In 2018, the healthcare sector saw 15 million patient records compromised in 503 breaches, three times the amount seen in 2017, according to the Protenus Breach Barometer. But just over halfway through 2019, and the numbers have skyrocketed with potentially more than 25 million patient records breached.
Healthcare has been peppered with massive data breaches, with each of the 10 largest seeing more than 200,000 records breached at a time. What’s worse is that many of these went on for extended periods of time, while others failed to report within the HIPAA-mandated 60 days.
Third-party vendors and phishing attacks were behind most of these security incidents, and the investigations into the largest vendor breach is still ongoing. As it stands, 2019 may prove to be the worst seen for healthcare cybersecurity.
As Sean Curran, West Monroe Partners’ senior director of its security and infrastructure practice recently told HealthITSecurity.com, these major hacks prove the entire sector needs to adjust its security approach to keep pace with hackers.
“Organizations need to accept that it’s going to happen and focus their attention on how to recover, how to minimize [the damage], and get back up and running as fast as possible: that’s the mindset of what’s more important to customer,” Curran said. “Yes, the Department of Health and Services may fine, states may fine, but I may be able to use insurance against all those fines.”
“I’m not going to lose patients just because I lost records, but I tell you what: if they’re expecting something from me and I can’t deliver? That’s going to matter,” he added.
With that in mind, here are the largest healthcare data breaches from the first half of 2019.
In early May, an 8-K filing with the Securities and Exchange Commission revealed billing services vendor American Medical Collection Agency was hacked for eight months between August 1, 2018 and March 30, 2019.
Since the breach was revealed, at least six covered entities have come forward to report their patient data was compromised by the hack. However, the majority of the impacted providers are still continuing to investigate the scope of the breach, so the total amount of affected patients will be unclear into the foreseeable future.
So far, up to 12 million patients from Quest Diagnostics were affected. The hacked system included a trove of personal and financial data from the lab testing giant, including Social Security numbers and medical information.
Up to 7.7 million LabCorp patients were also potentially impacted, as well as 422,000 patients of BioReference. Recently, two more covered entities have been added to the tally: Penobscot Community Health Center in Maine with 13,000 affected patients, and Clinical Pathology Laboratories with 2.2 million patients.
And just this week a sixth provider, Austin Pathology Associates, reported at least 46,500 of its patients were impacted by the event. Shortly after, seven more covered entities reported they too were impacted: Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX.
In total, more than 774,640 patients have been added to the breach by these covered entities (Natera did not disclose how many of its patients were impacted), bringing the total number of impacted patients to more than 25 million.
Insurer Dominion National reported a nine-year hack on its servers, which potentially breached the data of 2.96 million patients.
An internal alert revealed unauthorized access on its systems, which prompted an investigation. Officials said they found the unauthorized access began as early as August 25, 2010, nearly nine years before the breach was discovered in April 2019.
The servers contained enrollment and demographic information of current and former members of Dominion National’s vision plan, and data of individuals’ dental and vision benefits. Data of plan producers and health providers were also compromised.
A misconfigured database led to a personal health data breach of 1.57 million Inmediata Health Group patients. What’s worse: the provider inadvertently mailed patients the wrong letters during the breach notification process.
The compromised database was discovered in January, when officials found a search engine function was allowing internal Inmediata webpages used for business operations to be indexed. As a result, some electronic health information was exposed.
The investigation determined patient demographic details, medical claims data, and other personal information were potentially breached. But when Inmediata sent the notifications to patients about the security incident, some patients reported that they were receiving multiple letters, some addressed to other patients. Michigan’s Attorney General is investigating the incident.
In February, the University of Washington Medicine began notifying 974,000 patients that their data was exposed online for three weeks due to a misconfigured server.
The breach was discovered in December 2018 when a patient conducted a search of their own name and found a file containing their personal information. They notified UW Medicine, which determined an employee error three weeks prior caused internal files to become publicly accessible.
“Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results,” officials said in a statement. “All saved files were completely removed from Google’s servers by Jan. 10, 2019.”
The database contained a trove of personal data, including the name of the lab test or the research study with the name of the health condition for some.
While the Wolverine Solutions Group ransomware attack occurred in September 2018, the third-party vendor performed “rolling notifications” to its impacted healthcare clients. As a result, some providers received notifications as late as March 2019.
WSG systems were infected with ransomware in September, and decryption and file restoration continued throughout October. The cyberattack potentially compromised a wide range of data from a host of clients, including demographic details and Social Security numbers.
The Department of Health and Human Services breach reporting tool shows WSG reported 48,471 patients were impacted. However, Michigan Attorney General Dana Nessel estimated that at least 600,000 Michigan residents were affected, and Health Alliance Plan reported 120,000 of its patients were involved. The HHS tool does not currently show the HAP estimate.
Blue Cross Blue Shield of Michigan, Three Rivers Health, North Ottawa Community Health System, Mary Free Bed Rehabilitation Hospital, Covenant Hospital, Sparrow Hospital, and McLaren Health Care have also reported their patients were impacted by the security incident.
Initially announced in March, Oregon Department of Human Services began notifying additional patients in June of a breach caused by a massive phishing campaign. In total, 625,000 patients and 2.5 million emails were compromised.
In January, a targeted phishing attack caused nine employees to respond to the malicious emails and provide their user credentials. As a result, hackers gained full access to their email accounts, messages and attachments.
It took Oregon DHS officials three weeks to discover the hack, when those employees reported account issues to the security team. Officials said they’ve continued to investigate the incident since the breach was discovered and determined protected health information was involved.
Hackers were able to obtain or view patient data, which included case numbers, Social Security numbers, and PHI. Officials could not rule out access.
Details into the Columbia Surgical Specialist of Spokane breach are limited. But according to the HHS breach reporting tool, the Washington provider reported a hacking incident in February impacting 400,000 patients.
There’s no public notice on the specialist’s site, but reportedly it was a ransomware attack that began on January 7. Columbia Surgical Specialist did not pay the ransom and restored data from backups.
The personal and health data of about 326,629 UConn Health patients was potentially breached after several employees fell victim to phishing attacks in December.
In February, UConn Health discovered a hacker accessed a number of employee email accounts and immediately secured the accounts.
Officials said they were unable to confirm whether data was accessed. The potentially compromised data included patient names, dates of birth addresses, and limited medical information. And for 1,500 patients, Social Security numbers were breached.
An unauthorized third-party gained access to Navicent Health employee and hosted email accounts in July 2018, which potentially breached the data of 278,016 patients.
An investigation was launched into the security incident, which concluded on January 24. Navicent Health began notifying patients in March, eight months after the breach. HIPAA requires providers to notify patients of a breach within 60 days.
Officials determined the compromised accounts included a host of patient data that included some Social Security numbers, billing and appointment information, and other limited medical data. Navicent could not rule out whether the data was viewed or acquired.
Medical device vendor ZOLL Services notified 277,319 patients in March of a breach to their personal and medical data, caused by a server migration error.
On January 24, officials found some emails archived by its third-party service vendor exposed during a routine server migration. The vendor was tasked with record retention and maintenance requirements.
The emails contained communications stored by the vendor, including demographic details, dates of birth, and some medical information. Some Social Security numbers were also compromised.