- The threat landscape has continued to evolve throughout the year, with hackers ramping up targeted, sophisticated attacks. Ransomware continued to plague the healthcare sector, while phishing attacks and insider errors led to some of the biggest breaches in 2018.
The good news is that awareness continues to increase within the healthcare sector. However, resources and staffing gaps continue to be problematic. And hackers will continue to pummel the sector with targeted attacks through 2019 and beyond.
To learn from the security incidents of the year, we count down to the year’s biggest data breaches in the healthcare sector.
10. HealthEquity: 190,000 individuals
The data of about 190,000 HealthEquity customers was breached for about a month, after a hack on two employee email accounts. Officials discovered the breach on October 5, when a hacker accessed the accounts. The first account was breached on October 5 and the other was accessed on several occasions between September 4 and October 3.
This was HealthEquity’s second breach this year. In June, a hacker breached another employee email account, compromising the data of 16,000 customers.
9. MedEvolve: 205,000 Patients
The practice management software vendor left its FTP server open to the public without the need for a login in May, which exposed the data of 205,000 patients from two separate providers— Texas-based dermatologist Beverly Held, MD and Pennsylvania-based Premier Urgent Care.
First discovered by a security researcher, the FTP server was configured to allow anonymous logins, did not require login credentials, and failed to display a banner that could direct users to not access patient files.
8. Med Associates: 270,000 Patients
The Albany-based healthcare billing claims vendor discovered a hacker accessed an employee workstation on March 22, when the computer displayed unusual activity. An investigation determined it was a hack and that the cybercriminal may have accessed 270,000 patient records.
While the workstation did not contain financial data, Social Security numbers were included in the breached data.
7. Oklahoma State University Center for Health Sciences: 279,865 Medicaid Patients
The Oklahoma State University Center for Health Sciences began notifying 279,855 patients in January that their data may have been breached, after a hacker gained access to the provider’s network. The cybercriminal accessed patient records that contained Medicaid billing data.
The compromised folders contained patient names, Medicaid numbers, provider details, dates of service and treatment information. The investigation could not rule out access.
6. Augusta University Health: 417,000 Patients
The Georgia-based provider began notifying patients in August, of two cyberattacks that happened nearly one year ago. The health system fell victim to two phishing attacks in September 2017, but other cyberattacks successfully breached AU Health in July 2018, September 2016, and April 2017.
The hackers were able to solicit usernames and passwords to gain access into internal email accounts. Once it was discovered, officials disabled the infected accounts. The notice did not explain when the access was first discovered, nor why the notice was released almost a year after the initial attack.
5. LifeBridge Health: 500,000 Patients
The Baltimore-based health system fell victim to a malware attack, which potentially breached the data of nearly half a million patients for more than a year. On March 18, officials discovered a malware infection on its server. However, the investigation determined the hackers first gained access on Sept. 27, 2016.
The breach data contained a trove of patient details, from demographic information to insurance data and medical histories. For some patients, Social Security numbers were included in the breach.
4. Health Management Concepts: 502,416 Members
A ransomware attack on HMC quickly turned into a health data breach, when hackers were inadvertently provided a file containing personal data of members. Officials discovered the ransomware infection in July, on the server used to share files with clients.
HMC paid the ransom to the hackers to release the files, which decrypted the data. Officials said they accidentally sent the file containing Social Security numbers, health insurance information and patient names to the hackers – but did not say how or why.
3. CNO Financial Group: 566,217 Customers
CNO’s largest unit, Bankers’ Life, began notifying customers of a breach discovered on August 7. Hackers accessed several employee credentials between May 30 and September 13. These unauthorized users used this information to access company websites, compromising the data of policy holders and applicants.
The breached data included names, insurance details, dates of birth, and the last four digits of Social Security numbers. For some, complete Social Security numbers, credit or debit information, medications, diagnoses and or treatment details were included in the breach.
2. UnityPoint Health: 1.4 Million Patients
A phishing attack on the Iowa-based health system’s business email system breached the data of 1.4 million patients. This was UnityPoint’s second breach this year. In April, a separate phishing attack on staff email accounts at its Madison campus, compromised 16,000 patient records.
The email system was hit with a series of highly targeted phishing emails that looked as if they were sent from an executive from within the organization. An employee fell for the scam, which gave hackers access to internal email accounts from March 14 to April 3. Notifications began in July.
1. AccuDoc Solutions: 2.65 Million Atrium Health Patients
The largest health data breach of 2018 was caused by a hack on billing vendor AccuDoc Solutions, which compromised patient data for a week. The North Carolina-based vendor prepares patient bills and operates Atrium Health’s billing system. The records were retained from payments made at some Atrium Health locations.
AccuDoc discovered some of its accounts were compromised by a cyberattack from September 22 to 29. The investigation determined hackers could view the data, but not extract it. Atrium Health was notified of the breach on October 1.