Top Five U.S. Healthcare Breaches
Data breaches in the healthcare industry have become both more frequent, and more severe. According to Statistics, a shocking one-in-four consumers have had their healthcare data stolen, emphasising the need to tackle this issue head on. Read on to hear the details of the five worst data breaches in the US healthcare system… and their aftermath.
The most recent hacking of a government healthcare system – Healthcare.gov, no less – exposed the personal details and PHI (protected health information) of up to 75,000 individuals, and emphasises the fact that even government systems need improving when it comes to protecting sensitive data from hackers. The motivation of those is clear, according to Nate Lord from the Digital Guardian who says that “hospitals, urgent care clinics, pharmacies, health insurance companies, and other healthcare providers keep records of very valuable information – more ‘juicy details’ that can be used for identity theft than almost any other industry.”
So let’s kick off our list with a data breach that saw a significantly higher number of people impacted than the latest 75,000 users impacted with the Healthcare.gov hack.
1. Banner Health: 3.7-million.
In 2016, an Arizona-based healthcare outside Banner Health was scrambling to pick up the pieces after a data breach that compromised personal health information of 3.62-million patients. At the time of the attack, Banner health operated in 29 hospitals in Arizona, found that an outside party had gained access to credit and debit card processing systems that became a fountain of sensitive data like cardholders’ names, numbers and expiry dates. A few weeks later, they were hit with again, and hackers were able to gain widespread access to patient’s health information. Shortly after, Dan Berger, CEO of Redspin, a cybersecurity consultant said that the Banner Health breach “underscores the necessity to conduct truly comprehensive network security assessments including external and internal penetration testing. One has to assume that any device, system or workstation that connections to the network is a potential entry point for hackers.”
2. Advocate Health Care: 4.03-million
In August of 2013, Advocate Health Care Network was operating across 12 hospitals and 200 treatment facilities in Illinois and was responsible for the protection of millions of patients’ health information. Four desktop computers were stolen from an administrative office containing records for around four-million patients, with a second breach resulting in a third party gaining access to the protected network of a contractor who provided billing services; compromising a further 2,000 patients. As a cherry on top, later that year, an unencrypted laptop was stolen from an employee’s car, resulting in a $5.55-million settlement with HHS for their violations of HIPAA requirements. Shortly after, Jocelyn Samuels, director of HHS’ Office for Civil Rights – the office responsible for enforcing non-conformances within HIPAA requirements – said the settlement “sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’’ ePHI is secure.”
3. University of California, Los Angeles: 4.5-million
In mid-2015, UCLA reported a breach of its Health System whereby hackers were able to access the records of as many as four and a half million patients. Although credit card or financial information wasn’t compromised, according to Dr. James Atkinson, president of UCLA’s Hospital System, the parts of the network that were accessed contained social security numbers, health plan information, and vitally-sensitive ePHI information of patients. UCLA drew further criticism for their lack of encrypted data, with almost all information on its network remaining unencrypted; readily available for hackers. In the wake of the attack, founder of Patient Privacy Rights based in Austin, Texas, Dr. Deborah Peel said: “the breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”
4. Premera Blue Cross: 11-million
2015 was a disastrous year for health insurance provider, Premera Blue Cross, who disclosed details of a hack that originated almost a year earlier, in May of 2014. During that time, hackers were able to access the ePHI details, as well as social security numbers, bank account numbers, birth dates and other sensitive data of up to 11-million patients in Premera’s system. To make things worse, just weeks ago plaintiffs in a class-action lawsuit against Premera Blue Cross accused the organization of “’wilfully destroying’ evidence that was crucial for establishing accurate details in a security breach incident”, alleging a cover-up of some sorts.
5. Anthem Blue Cross: 78.8-million
On February 4, 2015, Anthem Blue Cross made the announcement that a third party had unlawfully gained access to its servers and had potentially stolen records from up to 37.5-million people. Just under three weeks later, and that number was revised up to 78.8-million. Much of the data that was compromised was left unencrypted, so the hackers that had gained access to the network were able to access, read – and most likely sell on the black market – valuable data that should have been protected by some level of encryption. The data included social security numbers, birthdays, medical IDs, and financial information of just under 80-million people, that can be sold for a handsome price on the black market. The Anthem Blue Cross data breach remains the most severe breach we’ve seen in the healthcare industry, and has been accompanied by a $115-million settlement following a class-action lawsuit. Despite the far-reaching consequences – and lack of sufficient technological infrastructure to keep intruders out - Anthem conceded no wrongdoing in court proceedings.