Healthcare Data Breaches
The year is far from over, and already 2019 has seen its share of sophisticated cyber attacks. With millions of individuals impacted by numerous breaches, it’s worth taking note of what some of the biggest breaches have in common.
Statistics Remain On The Rise
According to information collected by the Protenus Breach Barometer, the healthcare sector saw 15 million patient records compromised in 503 breaches in 2018. That’s three times the amount seen in 2017. So far in 2019? More than 25 million patient records have potentially been breached.
Cybersecurity is especially crucial in the healthcare industry, something we’ve seen firsthand with the many dental practices we’ve worked with over the years. All patient data is sensitive data, and is subject to numerous HIPAA regulations including the HIPAA Security Rule and HITECH. Dental offices are held to the same standards as any other healthcare entity, and are vulnerable to the same threats.
In each of the 10 breaches we’ll outline below, more than 200,000 records were breached at one time. While third-party vendors and phishing attacks were the cause of most of these security incidents, many incidents went on for extended periods of time, and several of these institutions failed to properly report their breaches within the HIPAA-mandated 60 days.
With 2019 shaping up to be the worst year in history for healthcare security breaches, there are still a few incidents that were especially alarming both in scope and in cause.
These are the largest healthcare data breaches from the first half of 2019.
1. AMCA Data Breach
Patients Impacted – 25 Million Patients
Investigations are still ongoing into this early May incident, where an 8-K filing with the Securities and Exchange Commission revealed billing services vendor American Medical Collection Agency was hacked over a period of eight months between August 1st, 2018 and March 30th, 2019.
At least six covered entities have come forward so far, reporting that their patient data was compromised by the hack. This number will continue to rise in coming months as the majority of impacted providers are still determining the scope of the breach. It’s difficult to guess how high the total number of affected patients will be once all investigations have been completed.
From what we know so far, up to 12 million patients from Quest Diagnostics were affected. Personal and financial data including Social Security numbers and medical information were compromised. Up to 7.7 million LabCorp patients, 422,000 BioReference patients, 2.2 million Clinical Pathology Laboratories patients, and 13,000 patients from the Penobscot Community Health Center in Maine patients have also been compromised.
Recently Austin Pathology Associates reported at least 46,500 of its patients were impacted, and Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX have also come forward to add their names to the growing list.
The billing services vendor, Quest and LabCorp are facing numerous investigations and lawsuits and AMCA’s parent company has filed for bankruptcy.
2. Dominion National
Patients Impacted – 2.96 Million
Insurer Dominion National reported that an internal alert revealed unauthorized access on its systems. Upon investigation in April, it was discovered that the breach has been ongoing for almost nine years, with unauthorized access beginning as early as August 25th, 2010.
The servers contained the enrollment and demographic information of both current and former members of Dominion National’s vision plan, as well as individuals’ dental and vision benefits information. Data of plan producers and health providers were also compromised.
3. Inmediata Health Group
Patients Impacted – 1.5 Million
A misconfigured database was to blame for the breach of the personal health data of 1.57 million Inmediata Health Group patients. To make matters worse, the provider inadvertently mailed patients the wrong letters during the breach notification process, further compromising patient privacy.
The discovery was made in January, when officials found a search engine function allowed internal Inmediata web pages used for business operations to be indexed. Some electronic health information was exposed as a result. Patient demographic details, medical claims data, and other personal information were potentially impacted by the breach.
4. UW Medicine
Patients Impacted – 973,024
The University of Washington Medicine began notifying 974,000 patients in February that thanks to a misconfigured server, their data was exposed online for a period of three weeks. It was determined an employee error was what had caused internal files to become publicly accessible. These files contained the name of the lab test or research study, with the name of the health condition included for some.
Unlike most breaches, this one was discovered not by the provider, but by a patient. In December 2018, a patient conducted a search of their own name and found a file containing their personal information. They then notified UW Medicine, who worked with Google to remove the saved versions and prevent them from showing up in search results, a process that was completed by January 10th, 2019.
5. Wolverine Solutions Group
Patients Impacted – Estimated 600,000
The Wolverine Solutions Group ransomware attack occurred all the way back in September 2018, With the third-party vendor using “rolling notifications” to inform its impacted healthcare clients. This system allowed for some providers to received notifications as late as March 2019.
After the September ransomware attack, which potentially compromised a wide range of data from a host of clients, including demographic details and Social Security numbers, decryption and file restoration continued throughout October.
Blue Cross Blue Shield of Michigan, Three Rivers Health, North Ottawa Community Health System, Mary Free Bed Rehabilitation Hospital, Covenant Hospital, Sparrow Hospital, and McLaren Health Care have also reported their patients were impacted.
6. Oregon Department of Human Services
Patients Impacted – 645,000
In January, a targeted phishing attack resulted in nine employees of the Oregon Department of Human Services to provide their user credentials. This allowed hackers to gain full access to their email accounts, messages, and attachments.
While initially announced in March, the notification of additional patients began in June. In total, 645,000 patients and 2.5 million emails were compromised. It took Oregon DHS officials three weeks to discover the hack, when those employees reported account issues to the security team. IT was later determined that protected health information was involved.
Hackers were able to obtain or view patient data, such as case numbers, Social Security numbers, and PHI.
7. Columbia Surgical Specialist of Spokane
Patients Impacted – 400,000
There is no public notice on the Columbia Surgical Specialist of Spokane’s site, and details of this breach are limited. According to the HHS breach reporting tool, the Washington provider reported what is believed to have been a ransomware attack that began January 7th of this year. Columbia Surgical Specialist did not pay the ransom, and were able to restore the data from backups.
8. UConn Health
Patients Impacted – 326,629
This breach began in December of 2018 after several employees fell victim to phishing attacks. In February, UConn Health discovered a hacker accessed a number of employee email accounts. They immediately secured the accounts, but officials were not able to confirm whether or not data was accessed.
The potentially compromised data includes patient names, dates of birth, addresses, and limited medical information. For 1,500 of the potentially impacted patients, Social Security numbers were breached as well.
9. Navicent Health
Patients Impacted – 278,016
An investigation was launched after an unauthorized third-party gained access to Navicent Health employee and hosted email accounts in July 2018. The investigation concluded on January 24th. Navicent Health then began notifying patients in March, eight months after the breach, well outside of the HIPAA mandated 60 day window.
Officials determined Social Security numbers, billing and appointment information, and other limited medical data was involved in the breach, and Navicent could not rule out whether the data was viewed or acquired.
10. ZOLL Services
Patients Impacted – 277,319
In March, medical device vendor ZOLL Services notified patients of a breach of their personal and medical data caused by a server migration error.
On January 24th, officials found some of the emails archived by ZOLL’s third-party service vendor had been exposed during a routine server migration. The vendor was tasked with record retention and maintenance requirements, and the emails contained communications stored by the vendor. This included demographic details, dates of birth, and some medical information. Some Social Security numbers were also compromised.