UPDATE: The 10 Biggest Healthcare Data Breaches of 2020, So Far

July 08, 2020 - The healthcare sector saw a whopping 41.4 million patient records breached in 2019, fueled by a 49 percent increase in hacking, according to the Protenus Breach Barometer. And despite the COVID-19 crisis, the pace of healthcare data breaches in 2020 continue to highlight some of the sector’s biggest vulnerabilities. 

The end of 2019 saw a host of ransomware attacks and vendor-related breaches that outpaced previous years in the healthcare sector. For comparison, the industry saw just 15 million records breached in 2018. 

But while phishing campaigns tied to the Coronavirus peaked in mid-April, the rate of ransomware attacks and reported data breaches slowed amid the crisis. However, security researchers noted that though ransomware attacks remained flat from the rate seen at the end of 2019, providers should not be lulled into a false sense of security. 

As seen with the biggest healthcare data breaches of the year, providers still have a great deal of work to do when it comes to securing remote connections, properly disposing documents, and educating users to prevent the frequency of successful phishing attacks – as well as delays in detection and breach notifications.

This story was updated to reflect the breach victim tallies of Florida Orthopaedic Institute and Benefit Recovery Specialists, as reported to the Department of Health and Human Services.

1. Health Share of Oregon: 654,000 Patients

READ MORE: Magellan Health Data Breach Victim Tally Reaches 365K Patients

The theft of a laptop owned by the transportation vendor of the Health Share of Oregon, shows that physical security controls and vendor management need equal attention as  cybersecurity priorities.  

Oregon’s largest Medicaid coordinated care organization notified 654,000 patients due to the device theft from its vendor GridWorks. The notification did not clarify whether the laptop was encrypted. But the stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers. 

Fortunately, health histories were not stored on the laptop. Health Share updated its annual audit processes with its contractors and improved workforce training, in response. 

2. Florida Orthopaedic Institute: 640,000 Patients

A ransomware attack on the Florida Orthopaedic Institute (FOI) potentially breached the data of about 640,000 patients, as reported to HHS on July 1.

The attack was first discovered on or about April 9, with the malware encrypting data stored on FOI servers. Administrators were able to quickly secure the system, but the investigation found that patient data was potentially exfiltrated or accessed during the attack.

READ MORE: $185K Proposed Settlement Reached in Grays Harbor Data Breach Lawsuit

The affected data varied by patient, but could include a host of sensitive data such as Social Security numbers, dates of birth, claims addresses, insurance plan identification numbers, FOI claims histories, diagnosis codes, payer identification numbers, payment amounts, contact details, and physician locations.

3. Elite Emergency Physicians (Formerly Known as Elkhart Emergency Physicians): 550,000 Patients 

The provider now known as Elite Emergency Physicians was included in a massive security incident involving the improper disposal of patient records, including records from its Elkhart Emergency Physicians. 

In June, it was reported that third-party vendor Central Files, which was tasked with secure record storage and disposal for a number of healthcare covered entities, had improperly disposed of some patient files. The impacted providers also included St. Joseph Health System in Indiana. 

Central files had been hired by a host of providers to destroy certain records and securely store some patient files until they were subsequently transferred to another records company, including sensitive and legally protected information. 

However, reports in April warned certain providers that their documents were discovered at a dump site in “poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.” 

READ MORE: Inadequate Security, Policies Led to LifeLabs Data Breach of 15M Patients

“Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible,” officials explained. 

For Elite, the records included information of patients who visited Elkhart Emergency Physicians from 2002 to 2010. 

4. Magellan Health: 365,000 Patients

More than eight Magellan Health affiliates and some of its clients have reported breach incidents to HHS, after a sophisticated ransomware attack hit the health plan’s servers in April. Nearly 365,000 patients and employees have been impacted. 

Hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client, five days before the ransomware was deployed. During that time, hackers first exfiltrated sensitive data from the impacted server. 

The potentially stolen data included employee credentials, passwords, and W-2 forms, as well as patient data like health insurance account information and treatment information. 

The recent breach marks the second time Magellan Health has faced a massive security incident in the last year. A monthlong phishing incident in 2019 breached the data from some of the third-party vendor’s clients, such as Florida Blue, McLaren Health, and Presbyterian Health, among others. 

5. BJC Health System: 287,876 Patients

In May, Missouri-based BJC Healthcare began notifying 287,876 patients from 19 of its affiliated hospitals that their data was compromised after a successful phishing attack. 

Three BJC Health employees fell victim to the scam on March 6, which was detected by its security team on the same day. The investigation showed the hacker had access to the impacted email accounts for just one day, but officials said they were unable to determine if any patient information, emails, or attachments were viewed during that time. 

BJC reviewed all emails and attachments to determine what patients were affected and found the accounts contained information that varied by patient, including treatments, medications, Social Security numbers, and health insurance data, among other sensitive information. 

The impacted BJC-affiliated providers included: Alton Memorial Hospital, Barnes-Jewish Hospital, Barnes-Jewish St. Peters Hospital, Barnes-Jewish West County Hospital, BJC Behavioral Health, BJC Corporate Health Services, BJC Home Care, BJC Medical Group, Boone Hospital Center, Christian Hospital, Memorial Hospital Belleville, Memorial Hospital East, Missouri Baptist Medical Center, Missouri Baptist Physician Services, Missouri Baptist Sullivan Hospital, Parkland Health Center Boone Terre, Parkland Health Center Farmington, Progress West Hospital, and St. Louis Children’s Hospital.

6.Benefit Recovery Specialists: 274,837 Patients

A hacker obtained the credentials of a Benefit Recovery Specialists’ employee to gain access to the insurer's systems and deploy malware, breaching the data of 274,837 patients from several providers and payers that use BRSI for billing and collections services.

On April 30, BRSI discovered a malware incident on some of its servers and took those systems offline to remove the malicious software. An investigation confirmed a hacker accessed the systems using stolen employee credentials, which allowed the threat actor to either access or acquire some customer files for 10 days between April 20 and April 30. 

The compromised data included personal information from both current and former members of certain providers or health plans that leverage BRSI and could included dates of birth, provider names, diagnosis codes, policy identification numbers, dates of service and or procedure codes.

Social Security numbers may have been affected for a small subset of patients. 

7. Ambry Genetics: 232,772 Patients

California-based Ambry Genetics, a clinical genomic diagnostics vendor, suffered an email hack from January 22 to January 24, 2020, which compromised the data of 232,772 patients. 

An investigation revealed a hacker gained access to an employee email hack, but officials said they were unable to determine whether the threat actor was able to access or exfiltrate the data contained in the account. 

The compromised patient data could include names, medical information, and information related to services provided by Ambry Genetics. Some Social Security numbers were compromised, as well. 

The FBI and the Department of Homeland Security warned in May that COVID-19 research firms have been targeted throughout the COVID-19 crisis. 

8. PIH Health: 199,548 Patients

In January, PIH Health began notifying nearly 200,000 patients of a potential breach to their protected health information, following a targeted phishing campaign. However, the California sent notifications seven months after the incident was discovered. HIPAA requires entities to report breaches impacting more than 500 patients within 60 days of discovery. 

The initial breach was discovered in June 2019, where several employee email accounts were compromised and potentially accessed by a hacker after a successful phishing attack. The investigation concluded in October 2019 and found the accounts were accessed for more than a week. 

A second investigation was launched to determine the impacted data and found the accounts contained information from both current and former patients. The notification did not disclose just what patient data was impacted. 

9. BST & Co. CPAs: 170,000 Patients

One of the more interesting breach reports from 2020 so far involves a healthcare business associate. An accounting firm known as BST & CO. CPAs in New York was hit by the Maze ransomware hacking group, which potentially compromised the data of 170,000 Community Care Physicians. 

The ransomware attack occurred in December and reported to HHS in February. Maze ransomware hackers infected a BST network that contained data from the firm’s local clients, including CCP, to which BST provides accounting and tax services. 

An investigation revealed the attack lasted for three days and some information tied to patients was compromised during the security incident, such as names, billing codes, insurance descriptions, and medical record numbers. 

What’s more, there is a definite risk that the data was potentially accessed, acquired, or otherwise disclosed from the network. BST was indeed listed on the Maze hackers’ dark web blog prior to the breach disclosure. 

CCP patients have since filed a lawsuit against BST over the ransomware attack, claiming the accounting firm was intentionally reckless and negligent when protecting sensitive data from unauthorized access and failing to employ reasonable and adequate measures to protect its systems. 

10. Aveanna Healthcare: 166,077 Patients

In another delayed breach notification, Aveanna Healthcare in Georgia began notifying 166,077 patients in February of a potential breach caused by a successful phishing attack first detected in August 24, 2019. 

The pediatric home care provider determined several employee email accounts were hacked for more than a month between July 9 and August 24, 2019. Data access or exfiltration could not be ruled out by the investigation. 

An account review completed in December 2019 found the compromised data included patient names, Social Security numbers, State IDs, medical information, health insurance details, financial information, and driver’s licenses. 

Soon after, more than 100 breach victims filed a lawsuit against Aveanna Healthcare. The lawsuit argued the breach was caused by inadequate security, while stressing Aveanna waited well beyond the HIPAA-required 60 days to notify patients about the breach. 

“The private information was maintained on Aveanna’s computer network in a condition vulnerable to cyberattacks, including the infiltration of certain email accounts containing [patients]’ private information,” the lawsuit argued. 

“In addition, Aveanna and its employees failed to properly monitor the computer network and systems that housed the private information,” it added. “Had Aveanna properly monitored the aforementioned network and systems, it would have discovered the intrusion sooner.”