Cyber-crimes are on the rise in every type of organization or industry and 2020 has seen a specific targeting of the the healthcare industry, even more now that telehealth is more prevalent due to the COVID-10 pandemic.
In 2019 the healthcare sector saw 41.4 million patient records breached as a result of a 49% increase in cyber-crime against healthcare that year.
Despite the increase in 2019, 2020 hasn’t proven to be any better and they continue to highlight some of the sector’s biggest vulnerabilities.
As you will see in this article, we will discuss some of the biggest data breaches of 2020 that many organizations should know, and learn from.
Providers still have a great deal of work to do when it comes to securing remote connections, properly disposing documents, and educating users to prevent the frequency of successful phishing attacks – as well as delays in detection and breach notifications.
Here are 10 of the Biggest Healthcare Breaches of 2020:
Health Share of Oregon
Patients effected: 654,000
It all started when a laptop owned by a transportation vendor who worked for the Health Share of Oregon was stollen.
The stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers. Luckily, there was no patient history stored on he device.
This was a much needed reminder that physical security controls and vendor management need equal attention as cybersecurity priorities.
Health Share of Oregon is Oregon’s largest Medicaid coordinated care organization.
The organization notified 654,000 patients due to the theft of the device.
The notification did not clarify whether the laptop was encrypted.
Florida Orthopedic Institute
Patients effected: $640,000
The attack on Florida Orthopedic Institute was first discovered on April 9, with the malware encrypting data stored on FOI servers.
Administrators were able to quickly secure the system, but the investigation found that patient data was potentially exfiltrated or accessed during the attack.
The ransomware attack breached an estimated 640,000 patients data according to a report filed with the HHS on July 1st.
The breached data included a variety of patient information including a variety of sensitive data such as Social Security numbers, dates of birth, claims addresses, insurance plan identification numbers, FOI claims histories, diagnosis codes, payer identification numbers, payment amounts, contact details, and physician locations.
Elite Emergency Physicians (Formerly Known as Elkhart Emergency Physicians)
Patients effected: 550,000
This patient record leak was caused by the improper disposal of patient records, including records from its Elkhart Emergency Physicians.
In June, it was reported that third-party vendor Central Files, which was tasked with secure record storage and disposal for a number of healthcare covered entities, had improperly disposed of some patient files.
The impacted providers also included St. Joseph Health System in Indiana.
Several hospital facilities hired Central Files to dispose of medical records properly, however, reports in April warned certain providers that their documents were discovered at a dump site in “poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.”
The compromised data included sensitive and legally protected information and for Elite the records included information of patients who visited Elkhart Emergency Physicians from 2002 to 2010.
“Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible,” officials explained.
Patients effected: 365,000
Magellan Health was the victim of a sophisticated ransomware attack that infiltrated the health plan’s services back in April.
The cyber-criminals gained access to nearly 365,000 patient and employee files by social engineering their way through a phishing scheme that impersonated a Magellan health client.
Once they gained access, the hackers exfiltrated sensitive data from the impacted server and stole data including employee credentials, passwords, and W-2 forms, as well as patient data like health insurance account information and treatment information.
BJC Health System
Patients effected: 278,876
In May, Missouri-based BJC Healthcare began notifying 287,876 patients from 19 of its affiliated hospitals that their data was compromised after a successful phishing attack.
Three BJC Health employees fell victim to the scam on March 6, which was detected by its security team on the same day.
The investigation showed the hacker had access to the impacted email accounts for just one day, but officials said they were unable to determine if any patient information, emails, or attachments were viewed during that time.
BJC reviewed all emails and attachments to determine what patients were affected and found the accounts contained information that varied by patient, including treatments, medications, Social Security numbers, and health insurance data, among other sensitive information.
The impacted BJC-affiliated providers included: Alton Memorial Hospital, Barnes-Jewish Hospital, Barnes-Jewish St. Peters Hospital, Barnes-Jewish West County Hospital, BJC Behavioral Health, BJC Corporate Health Services, BJC Home Care, BJC Medical Group, Boone Hospital Center, Christian Hospital, Memorial Hospital Belleville, Memorial Hospital East, Missouri Baptist Medical Center, Missouri Baptist Physician Services, Missouri Baptist Sullivan Hospital, Parkland Health Center Boone Terre, Parkland Health Center Farmington, Progress West Hospital, and St. Louis Children’s Hospital.
Benefit Recovery Specialists
Patients effected: 274,837
On April 30, BRSI discovered a malware incident on some of its servers and took those systems offline to remove the malicious software.
An investigation confirmed a hacker accessed the systems using stolen employee credentials, which allowed the threat actor to either access or acquire some customer files for 10 days between April 20 and April 30.
The stolen data included personal information from both current and former members of certain providers or health plans that leverage BRSI and could included dates of birth, provider names, diagnosis codes, policy identification numbers, dates of service and or procedure codes.
It is believed that Social Security Numbers for some patients may have also been compromised.
Patients effected: 232,772
On January 22 to January 24th, 2020, Ambry Genetics suffered an email hack that compromised 252,772 patients information.
The hacker gained access by hacking an employees email but reports say they are unsure if the cyber-criminal was actually able to exfiltrate the data in the account.
The compromised patient data could include names, medical information, and information related to services provided by Ambry Genetics. Some Social Security numbers were compromised, as well.
Both the FBI and Department of Homeland Security have said that there have been a rise in cyber-crime targeted towards research firms during the COVID-19 pandemic.
Patients effected: 199,548
PIH Health was the target of a phishing campaign back in January that potentially breached 200,000 patient records and protected health information.
The California based organization only sent notifications out 7 months after the incident was discovered but HIPAA requires breaches effecting more than 500 patients be reported within 60 days of discovery.
The initial breach was discovered in June 2019, where several employee email accounts were compromised and potentially accessed by a hacker after a successful phishing attack.
The investigation concluded in October 2019 and found the accounts were accessed for more than a week.
A second investigation was launched to determine the impacted data and found the accounts contained information from both current and former patients.
The notification did not disclose exactly what patient data was impacted.
BST & CO. CPAS
Patients effected: 170,000
Accounting firm known as BST & CO. CPAs in New York was hit by the Maze ransomware hacking group in February of 2020.
Investigations revealed that the attack lasted for three days and some information tied to patients was compromised during the security incident, such as names, billing codes, insurance descriptions, and medical record numbers.
The BST network also ontained data from the firm’s local clients, including CCP, to which BST provides accounting and tax services.
What was interesting about this cyber-attack is that BST was listed on the Maze hackers’ dark web blog prior to the breach disclosure.
Several CCP patients have filed lawsuits against BST as a result of the ransomware attack, saying the firm was reckless and negligent in protecting their data.
Patients effected: 166,077
This pediatric home care provider determined several employee email accounts were hacked for more than a month between July 9 and August 24, 2019 but failed to report the breach until February, months after the attack.
This delay led to several painful lawsuits which argued the breach was caused by inadequate security, while stressing Aveanna waited well beyond the HIPAA-required 60 days to notify patients about the breach.
“The private information was maintained on Aveanna’s computer network in a condition vulnerable to cyberattacks, including the infiltration of certain email accounts containing [patients]’ private information,” the lawsuit argued.
“In addition, Aveanna and its employees failed to properly monitor the computer network and systems that housed the private information,” it added. “Had Aveanna properly monitored the aforementioned network and systems, it would have discovered the intrusion sooner.”