- With the majority of healthcare providers reporting that they were impacted by a healthcare ransomware attack in the past 12 months, it is not surprising that nine out of the 10 largest breaches reported to OCR in 2017 were caused by hacking or IT incidents.
Save for one reported incident, the largest data breaches came from ransomware attacks, unauthorized server access, and computer viruses. In total, 2,633,207 individuals were potentially impacted by the incidents, according to OCR.
Out of the 277 incidents reported to OCR between January 1, 2017 and December 12, 2017, 123 were listed as being due to hacking or an IT incident. Unauthorized access/disclosure led to 96 reported breaches, followed by theft (46), improper disposal (7), and loss (5).
Here is HealthITSecurity.com’s annual countdown of the top 10 healthcare data breaches of the year.
VisionQuest Eyecare discovered a cyber attack on its network on January 22, 2017, an incident that reportedly impacted 85,995 individuals.
Information that was potentially compromised included patient names, addresses, phone numbers, dates of birth, Social Security numbers, health or vision insurance information, medical claims data and clinical information (Private Health Information).
“Since this discovery, it has been our highest priority to further secure our network and data,” VisionQuest said in its online statement. “We have invested in multiple technology solutions in order to mitigate further risk of a data breach.”
Unauthorized patient information access may have occurred at Harrisburg Gastroenterology and the Harrisburg Endoscopy and Surgery Center, the organization said in a notification letter sent out earlier this year.
Harrisburg Gastroenterology Ltd reported to OCR that 93,323 individuals may have been affected, while Harrisburg Endoscopy and Surgery Center had 9,092 patients possibly impacted by the incident.
Michigan-based McLaren Medical Group (MMG) had its computer system accessed by an unauthorized party, possibly impacting 106,008 individuals.
The accessed system stored scanned documents including information related to authorizations, orders, appointment scheduling, and similar data.
“The computer system that was accessed has been rebuilt and updated with added measures in place to protect patient information from similar activity in the future,” MMG explained.
Arkansas Oral & Facial Surgery Center recently experienced a ransomware attack on its computer network on July 26, 2017, with 128,000 individuals possibly being affected.
The ransomware had been installed either earlier that morning or the evening before, according to the organization. The incident was likely not done to gain patient information, and extortion was likely the reason.
“While our investigation into the matter continues, it does not appear that patient information was stolen from our system,” the statement explained. “However, the ransomware has rendered the imaging files and documents inaccessible. Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident.”
Atlanta, Georgia-based Peachtree Neurological Clinic reported it had been the victim of a ransomware attack, potentially impacting 176,295 individuals.
Peachtree refused to pay the demanded ransom and was able to restore the encrypted files through backup records.
It was also discovered that the computer system had previously been accessed without Peachtree’s knowledge between February of 2016 and May of 2017.
Patient names, addresses, phone numbers, Social Security numbers, dates of birth, driver’s license numbers, treatment and procedure information, prescription information, and health insurance information were all contained within the impacted computer system.
Pacific Alliance Medical Center (PAMC) became aware on June 14, 2017 that its networked computer system had been affected by a cyber incident. Certain files had been encrypted and made unreadable, the organization stated.
“PAMC promptly shut down its networked computer systems, initiated its incident response and recovery procedures, notified the Federal Bureau of Investigation, and began a forensic investigation under the direction of its counsel,” PAMC said. “Since then, PAMC has decrypted (made readable again) the affected files and has taken action to restore the affected systems and prevent similar incidents from occurring.”
OCR states that 266,123 individuals were likely affected by the incident.
Texas-based Urology Austin, PLLC experienced a ransomware attack on January 22, 2017 that may have involved the information of 279,663 individuals.
“Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation,” the organization stated. “We also began to take steps to restore the impacted data and our operations.”
Potentially affected information included patient names, addresses, dates of birth, Social Security numbers, and medical information.
A Urology Austin representative told local news station KXAN that Urology Austin did not pay the ransom and it restored patient information from a backup.
Women’s Healthcare Group of Pennsylvania discovered on May 16, 2017 that one of its practice locations had a server and workstation infected by a virus. The affected devices were immediately removed and an investigation was launched.
“External hackers gained access to our systems, as far back as January 2017, through a security vulnerability,” the organization stated. “We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident.”
OCR reported that 300,000 individuals were possibly impacted.
Michigan-based Airway Oxygen, Inc reported earlier this year that it was the victim of a ransomware attack that likely affected 500,000 individuals.
“Since learning of the incident, we immediately took steps to secure our internal systems against further intrusion, including by scanning the entire internal system, changing passwords for users, vendor accounts and applications, conducting a firewall review, updating and deploying security tools, and installing software to monitor and issue alerts as to suspicious firewall log activity,” explained the statement, which was signed by Airway Oxygen President Stephen Nyhuis.
While certain PHI was involved, the organization said that bank account numbers, debit or credit card numbers, and Social Security numbers were not involved.
Commonwealth Health Corporation is the parent company for Kentucky-based Med Center Health, which reported that a former employee accessed certain patient billing information without authorization.
OCR lists 697,800 individuals as potentially being affected.
The individual reportedly “obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health.”
The employee used an encrypted CD and encrypted USB drive in August 2014 and February 2015.
The billing information included patient names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services.
“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its notification letter that was signed by CEO Connie Smith.