Top 10 Largest Healthcare Breaches of 2020 (So Far)
Updated: Aug 16
July 08, 2020 - The healthcare sector saw a whopping 41.4 million patient records breached in 2019, fueled by a 49 percent increase in hacking, according to the Protenus Breach Barometer.
And despite the COVID-19 crisis, the pace of healthcare data breaches in 2020 continue to highlight some of the sector’s biggest vulnerabilities.
The end of 2019 saw a host of ransomware attacks and vendor-related breaches that outpaced previous years in the healthcare sector. For comparison, the industry saw just 15 million records breached in 2018.
But while phishing campaigns tied to the Coronavirus peaked in mid-April, the rate of ransomware attacks and reported data breaches slowed amid the crisis. However, security researchers noted that though ransomware attacks remained flat from the rate seen at the end of 2019, providers should not be lulled into a false sense of security.
As seen with the biggest healthcare data breaches of the year, providers still have a great deal of work to do when it comes to securing remote connections, properly disposing documents, and educating users to prevent the frequency of successful phishing attacks – as well as delays in detection and breach notifications.
1. HEALTH SHARE OF OREGON: 654,000 PATIENTS
The theft of a laptop owned by the transportation vendor of the Health Share of Oregon, shows that physical security controls and vendor management need equal attention as cybersecurity priorities.
Oregon’s largest Medicaid coordinated care organization notified 654,000 patients due to the device theft from its vendor GridWorks. The notification did not clarify whether the laptop was encrypted. But the stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers.
Fortunately, health histories were not stored on the laptop. Health Share updated its annual audit processes with its contractors and improved workforce training, in response.
2. ELITE EMERGENCY PHYSICIANS (FORMERLY KNOWN AS ELKHART EMERGENCY PHYSICIANS): 550,000 PATIENTS
The provider now known as Elite Emergency Physicians was included in a massive security incident involving the improper disposal of patient records, including records from its Elkhart Emergency Physicians.
In June, it was reported that third-party vendor Central Files, which was tasked with secure record storage and disposal for a number of healthcare covered entities, had improperly disposed of some patient files. The impacted providers also included St. Joseph Health System in Indiana.
Central files had been hired by a host of providers to destroy certain records and securely store some patient files until they were subsequently transferred to another records company, including sensitive and legally protected information.
However, reports in April warned certain providers that their documents were discovered at a dump site in “poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.”
“Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible,” officials explained.
For Elite, the records included information of patients who visited Elkhart Emergency Physicians from 2002 to 2010.
3. MAGELLAN HEALTH: 365,000 PATIENTS
More than eight Magellan Health affiliates and some of its clients have reported breach incidents to the Department of Health and Human Services, after a sophisticated ransomware attack hit the health plan’s servers in April. Nearly 365,000 patients and employees have been impacted.
Hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client, five days before the ransomware was deployed. During that time, hackers first exfiltrated sensitive data from the impacted server.
The potentially stolen data included employee credentials, passwords, and W-2 forms, as well as patient data like health insurance account information and treatment information.
The recent breach marks the second time Magellan Health has faced a massive security incident in the last year. A monthlong phishing incident in 2019 breached the data from some of the third-party vendor’s clients, such as Florida Blue, McLaren Health, and Presbyterian Health, among others.
4. BJC HEALTH SYSTEM: 287,876 PATIENTS
In May, Missouri-based BJC Healthcare began notifying 287,876 patients from 19 of its affiliated hospitals that their data was compromised after a successful phishing attack.
Three BJC Health employees fell victim to the scam on March 6, which was detected by its security team on the same day. The investigation showed the hacker had access to the impacted email accounts for just one day, but officials said they were unable to determine if any patient information, emails, or attachments were viewed during that time.
BJC reviewed all emails and attachments to determine what patients were affected and found the accounts contained information that varied by patient, including treatments, medications, Social Security numbers, and health insurance data, among other sensitive information.
The impacted BJC-affiliated providers included: Alton Memorial Hospital, Barnes-Jewish Hospital, Barnes-Jewish St. Peters Hospital, Barnes-Jewish West County Hospital, BJC Behavioral Health, BJC Corporate Health Services, BJC Home Care, BJC Medical Group, Boone Hospital Center, Christian Hospital, Memorial Hospital Belleville, Memorial Hospital East, Missouri Baptist Medical Center, Missouri Baptist Physician Services, Missouri Baptist Sullivan Hospital, Parkland Health Center Boone Terre, Parkland Health Center Farmington, Progress West Hospital, and St. Louis Children’s Hospital.
5. AMBRY GENETICS: 232,772 PATIENTS
California-based Ambry Genetics, a clinical genomic diagnostics vendor, suffered an email hack from January 22 to January 24, 2020, which compromised the data of 232,772 patients.
An investigation revealed a hacker gained access to an employee email hack, but officials said they were unable to determine whether the threat actor was able to access or exfiltrate the data contained in the account.
The compromised patient data could include names, medical information, and information related to services provided by Ambry Genetics. Some Social Security numbers were compromised, as well.
The FBI and the Department of Homeland Security warned in May that COVID-19 research firms have been targeted throughout the COVID-19 crisis.
Get the rest of the list from the original post here