The 10 Biggest Healthcare Data Breaches So Far In 2019

Healthcare Data Breaches

The year is far from over, and already 2019 has seen its share of sophisticated cyber attacks. With millions of individuals impacted by numerous breaches, it’s worth taking note of what some of the biggest breaches have in common.

Statistics Remain On The Rise

According to information collected by the Protenus Breach Barometer, the healthcare sector saw 15 million patient records compromised in 503 breaches in 2018. That’s three times the amount seen in 2017. So far in 2019? More than 25 million patient records have potentially been breached.

Cybersecurity is especially crucial in the healthcare industry, something we’ve seen firsthand with the many dental practices we’ve worked with over the years. All patient data is sensitive data, and is subject to numerous HIPAA regulations including the HIPAA Security Rule and HITECH. Dental offices are held to the same standards as any other healthcare entity, and are vulnerable to the same threats.

In each of the 10 breaches we’ll outline below, more than 200,000 records were breached at one time. While third-party vendors and phishing attacks were the cause of most of these security incidents, many incidents went on for extended periods of time, and several of these institutions failed to properly report their breaches within the HIPAA-mandated 60 days.

With 2019 shaping up to be the worst year in history for healthcare security breaches, there are still a few incidents that were especially alarming both in scope and in cause.

These are the largest healthcare data breaches from the first half of 2019.

1. AMCA Data Breach

Patients Impacted – 25 Million Patients

Investigations are still ongoing into this early May incident, where an 8-K filing with the Securities and Exchange Commission revealed billing services vendor American Medical Collection Agency was hacked over a period of eight months between August 1^st, 2018 and March 30^th, 2019.

At least six covered entities have come forward so far, reporting that their patient data was compromised by the hack. This number will continue to rise in coming months as the majority of impacted providers are still determining the scope of the breach. It’s difficult to guess how high the total number of affected patients will be once all investigations have been completed.

From what we know so far, up to 12 million patients from Quest Diagnostics were affected. Personal and financial data including Social Security numbers and medical information were compromised. Up to 7.7 million LabCorp patients, 422,000 BioReference patients, 2.2 million Clinical Pathology Laboratories patients, and 13,000 patients from the Penobscot Community Health Center in Maine patients have also been compromised.

Recently Austin Pathology Associates reported at least 46,500 of its patients were impacted, and Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX have also come forward to add their names to the growing list.

The billing services vendor, Quest and LabCorp are facing numerous investigations and lawsuits and AMCA’s parent company has filed for bankruptcy.

2. Dominion National

Patients Impacted – 2.96 Million

Insurer Dominion National reported that an internal alert revealed unauthorized access on its systems. Upon investigation in April, it was discovered that the breach has been ongoing for almost nine years, with unauthorized access beginning as early as August 25^th, 2010.

The servers contained the enrollment and demographic information of both current and former members of Dominion National’s vision plan, as well as individuals’ dental and vision benefits information. Data of plan producers and health providers were also compromised.

3. Inmediata Health Group

Patients Impacted – 1.5 Million

A misconfigured database was to blame for the breach of the personal health data of 1.57 million Inmediata Health Group patients. To make matters worse, the provider inadvertently mailed patients the wrong letters during the breach notification process, further compromising patient privacy.

The discovery was made in January, when officials found a search engine function allowed internal Inmediata web pages used for business operations to be indexed. Some electronic health information was exposed as a result. Patient demographic details, medical claims data, and other personal information were potentially impacted by the breach.

4. UW Medicine

Patients Impacted – 973,024

The University of Washington Medicine began notifying 974,000 patients in February that thanks to a misconfigured server, their data was exposed online for a period of three weeks. It was determined an employee error was what had caused internal files to become publicly accessible. These files contained the name of the lab test or research study, with the name of the health condition included for some.

Unlike most breaches, this one was discovered not by the provider, but by a patient. In December 2018, a patient conducted a search of their own name and found a file containing their personal information. They then notified UW Medicine, who worked with Google to remove the saved versions and prevent them from showing up in search results, a process that was completed by January 10^th, 2019.

5. Wolverine Solutions Group

Patients Impacted – Estimated 600,000

The Wolverine Solutions Group ransomware attack occurred all the way back in September 2018, With the third-party vendor using “rolling notifications” to inform its impacted healthcare clients. This system allowed for some providers to received notifications as late as March 2019.

After the September ransomware attack, which potentially compromised a wide range of data from a host of clients, including demographic details and Social Security numbers, decryption and file restoration continued throughout October.

Blue Cross Blue Shield of Michigan, Three Rivers Health, North Ottawa Community Health System, Mary Free Bed Rehabilitation Hospital, Covenant Hospital, Sparrow Hospital, and McLaren Health Care have also reported their patients were impacted.

6. Oregon Department of Human Services

Patients Impacted – 645,000

In January, a targeted phishing attack resulted in nine employees of the Oregon Department of Human Services to provide their user credentials. This allowed hackers to gain full access to their email accounts, messages, and attachments.

While initially announced in March, the notification of additional patients began in June. In total, 645,000 patients and 2.5 million emails were compromised. It took Oregon DHS officials three weeks to discover the hack, when those employees reported account issues to the security team. IT was later determined that protected health information was involved.

Hackers were able to obtain or view patient data, such as case numbers, Social Security numbers, and PHI.

7. Columbia Surgical Specialist of Spokane

Patients Impacted – 400,000

There is no public notice on the Columbia Surgical Specialist of Spokane’s site, and details of this breach are limited. According to the HHS breach reporting tool, the Washington provider reported what is believed to have been a ransomware attack that began January 7^th of this year. Columbia Surgical Specialist did not pay the ransom, and were able to restore the data from backups.

8. UConn Health

Patients Impacted – 326,629

This breach began in December of 2018 after several employees fell victim to phishing attacks. In February, UConn Health discovered a hacker accessed a number of employee email accounts. They immediately secured the accounts, but officials were not able to confirm whether or not data was accessed.

The potentially compromised data includes patient names, dates of birth, addresses, and limited medical information. For 1,500 of the potentially impacted patients, Social Security numbers were breached as well.

9. Navicent Health

Patients Impacted – 278,016

An investigation was launched after an unauthorized third-party gained access to Navicent Health employee and hosted email accounts in July 2018. The investigation concluded on January 24^th. Navicent Health then began notifying patients in March, eight months after the breach, well outside of the HIPAA mandated 60 day window.

Officials determined Social Security numbers, billing and appointment information, and other limited medical data was involved in the breach, and Navicent could not rule out whether the data was viewed or acquired.

10. ZOLL Services

Patients Impacted – 277,319

In March, medical device vendor ZOLL Services notified patients of a breach of their personal and medical data caused by a server migration error.

On January 24^th, officials found some of the emails archived by ZOLL’s third-party service vendor had been exposed during a routine server migration. The vendor was tasked with record retention and maintenance requirements, and the emails contained communications stored by the vendor. This included demographic details, dates of birth, and some medical information. Some Social Security numbers were also compromised.

Wil Buchanan