- Data breaches in the healthcare industry are always a top concern for providers, business associates, vendors, and other stakeholders. With technology continuing to quickly evolve, security cannot be a secondary consideration.
The majority of 2016 security incidents stemmed from cybersecurity attacks, which is why covered entities need to ensure that they have applicable security measures in place, perform regular risk assessments, and properly train all employees.
No organization can ever guarantee that a data breach will never take place, but with the right preparation and mitigation techniques, an entity may be able to detect an issue sooner and be able to quickly recover.
The past year has been another significant one for healthcare in terms of data breaches. Out of the approximately 300 incidents reported to the Office for Civil Rights (OCR), 95 were caused by a hacking or IT-related incident, and 125 were from unauthorized access or disclosure. There were also 58 reported cases of theft of devices or records, 16 incidents of loss, and seven cases of improper disposal.
Here is our annual countdown of the top 10 healthcare data breaches of 2016.
Premier Healthcare reported a potential healthcare data breach in March, affecting 205,748 individuals, according to OCR.
A laptop was stolen from Premier’s billing department, but was returned to the provider in the mail “on or about March 7, 2016.” An investigation determined that the laptop had not been powered on since it went missing on December 31, 2015.
Premier also explained in its online statement that there was no evidence showing that the information on the laptop was inappropriately accessed.
Central Ohio Urology Group (COUG) reported in October that an unauthorized individual posted files and documents to an online drive accessible on the Internet on August 2, 2016.
The information of 300,000 patients, employees, and individuals who paid for medical services was reportedly affected.
While the information was removed from the drive within hours, COUG said that names, addresses, telephone number(s), emails, dates of birth, Social Security numbers, driver’s license/state identification numbers, patient identification numbers, medical and health plan information, account information, diagnoses or treatment information, health insurance information and identifiers, and employment-related information may have been exposed.
California Correctional Health Care Services had 400,000 individuals affected by a possible data breach in April, according to OCR.
PHI may have been exposed for patients in the California Department of Corrections and Rehabilitation who were incarcerated between 1996 and 2014 when an unencrypted work laptop was stolen from an employee’s personal vehicle. However, California Correctional Healthcare Services said that the device was password-protected.
“Appropriate actions were immediately implemented and shall continue to occur,” said Director of Communications and Legislation Joyce Hayhoe. “This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”
Florida-based Radiology Regional Center reported in February 2016 that patient information may have been exposed after some paper records were found on a street on December 19, 2015. Approximately 483,000 individuals were affected, OCR reported.
“A small quantity of records” fell onto the street while being transported by Lee County Solid Waste Division, Radiology Regional explained. That company is also responsible for the disposal of Radiology patient records.
“As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed,” Radiology Regional said in its statement. “Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.”
Peachtree Orthopaedic Clinic reported to OCR in November that 531,000 individuals may have been impacted by a cybersecurity attack it experienced on September 22, 2016.
Patient names, home addresses, email addresses, and dates of birth were “potentially taken” in the unauthorized access, Peachtree said in its online statement. Patient treatment codes, prescription records, or Social Security numbers may also have been taken in some cases.
Individuals who were patients prior to July 2014 “may be affected,” while there were also a “small number of cases” where individuals who were patients after that time may also have been impacted.
South Carolina’s Bon Secours Health System, Inc. reported in August 2016 that 651,971 were likely affected by a data breach stemming from a vendor error.
The vendor, R-C Healthcare Management, inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
While medical records were not made accessible, patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information may have been exposed.
“To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained,” Bon Secours said in a statement.
Valley Anesthesiology and Pain Consultants (VAPC) notified OCR in August 2016 that 882,590 individuals may have been impacted by unauthorized access on one of its computer systems.
The initial hacking may have occurred on March 30, 2016, but VAPC became aware of the incident on June 13, 2016.
Patient data, provider information, and certain employee information may have been exposed, according to VAPC. Those whose Social Security numbers or Medicare numbers were involved were offered free credit monitoring and identity protection services.
“In addition to security safeguards already in place, VAPC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future,” the organization explained. “These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.”
A 21st Century Oncology database was inappropriately accessed by an unauthorized third party toward the end of 2015, potentially exposing information of 2,213,597 individuals.
21st Century notified OCR in March 2016, claiming in an online statement that the delay occurred because the FBI had requested a delay in notification so there would be no interference in its investigation.
The intruder may have accessed the database on October 3, 2015, possibly compromising patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century explained. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
Newkirk Products, Inc. issues healthcare ID cards for health insurance plans, and announced in August 2016 that it had experienced a cybersecurity attack. OCR lists 3,466,120 individuals as potentially having had their information affected.
“On July 6, 2016, Newkirk discovered that a server containing member information was accessed without authorization,” the company explained. “Newkirk shut down the server, started an investigation into the incident and hired a third party forensic investigator to determine the extent of the unauthorized access and whether the personal information of its clients’ members may have been accessed. Newkirk also notified federal law enforcement.”
At the initial announcement, Newkirk stated that no health plan systems were accessed or affected in any way. However, potentially accessed information included some combination of member names, mailing addresses, type of plan, member and group ID numbers, names of dependents enrolled in the plan, primary care providers, and in some cases, dates of birth, premium invoice information and Medicaid ID numbers.
The largest reported data breach in the healthcare sector for 2016 was Banner Health, with 3.62 million individuals impacted by a cybersecurity attack that occurred over the summer.
Banner discovered the issue on July 13, 2016, but a third-party forensics investigation found that the initial attack occurred on June 17, 2016.
There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack, according to Banner.
Patients, members and beneficiaries, and food and beverage outlet customers may have all had certain information exposed.
The food and beverage outlet breach was discovered on July 7, 2016, while payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. Arkansas, Arizona, Colorado, and Wyoming all have possibly affected locations.
“The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems,” explained Banner.