- This was a significant year for the healthcare industry in terms of data breaches. The top three healthcare data breaches alone combined to potentially affect nearly 100 million individuals.
As 2015 comes to an end, HealthITSecurity.com reviewed the largest healthcare data breaches for the year. While these are not the only data security incidents that took place this year, in terms of sheer size of patients affected, these data breaches were extremely impactful. It is also important to note that the top 10 healthcare data breaches were all classified as “hacking/IT incident” by the Office for Civil Rights (OCR).
Regardless of a healthcare organization’s size, HIPAA compliance is essential. Having current and comprehensive administrative, technical, and physical safeguards is a critical step. Regular risk assessments and employee training will also go a long way in ensuring patient data security.
Technology will only continue to evolve, and cyberattacks are not likely to decrease. Covered entities and their business associates must remain alert and vigilant, and work towards prevention on numerous fronts.
Anthem, Inc. data breach affects 78.8M
In February, Anthem, Inc. announced that hackers broke into one of its databases, potentially compromising 78.8 million individuals’ personal information.
Affected data included names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Both Anthem patients and employees were possibly affected.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” Anthem president and CEO Joseph Swedish said in a statement. “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
Anthem also came under scrutiny from certain lawmakers for its timeline in the data breach notification process. The breach was discovered on Jan. 29, 2015, but the company waited until Feb. 4, 2015 to make a public announcement. The databases were potentially accessed as early as April 2014, which means personal data could have been in the wrong hands for some time, the lawmakers stated.
‘Sophisticated cyber attack’ hits Premera Blue Cross
The second largest healthcare data breach for 2015 took place at Premera Blue Cross, where 11 million individuals potentially had their information accessed in a hacking incident.
As with the Anthem data breach, Premera discovered the data breach on Jan. 29, 2015. However, it is believed that the initial attack occurred on May 5, 2014.
Applicants and members’ names, dates of birth, email addresses, addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, including clinical information, were all possibly exposed.
Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions, Inc. are all potentially affected. Members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska were also affected by the cyber attack.
Excellus data breach compromises PHI of 10M
Originally reported as affecting 7 million individuals, the Excellus data breach potentially compromised 10 million individuals’ PHI, according to the OCR data breach reporting database.
Excellus Blue Cross Blue Shield (Excellus BCBS) announced in September that it discovered on August 5, 2015 that it had been the victim of a cyber attack. However, the initial attack took place on December 23, 2013.
Potentially exposed information includes individuals’ names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
“This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS,” Excellus BCBS explained. “Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.”
UCLA Health System reports cyber attack over summer
UCLA Health System was also the victim of a large-scale cyber attack, reporting in July that approximately 4.5 million patients may have had their information exposed in a healthcare data breach.
The attack was discovered on May 5, 2015, and affected individuals include UCLA Health patients and providers who sought privileges at any UCLA Health hospital, or was maintained on the impacted parts of the UCLA Health network.
Suspicious activity on the UCLA Health network was first discovered in October 2014 and an investigation was reportedly opened. However, UCLA Health said that it did not appear at the time that attackers had gained access to the parts of the network that contain personal and medical information.
3.9M individuals affected by Medical Informatics Engineering breach
Medical Informatics Engineering (MIE) reported over the summer that it had experienced a cyber attack affecting 3.9 million individuals. Suspicious activity was first noticed on one of its servers on May 26, it submitted breach information to OCR on July 23.
MIE referred to the incident as a “sophisticated cyber attack,” and said that the unauthorized access may have began on May 7, 2015.
Affected clients included Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.
A class-action lawsuit was soon filed against, MIE, claiming that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” and also failed “to take available steps to prevent and stop the breach from ever happening.”
CareFirst data breach affects 1.1M current and former members
CareFirst BlueCross BlueShield (CareFirst) was another cyber attack victim, announcing in May that approximately 1.1 million current and former members potentially had their information accessed.
Cyber attackers reportedly gained access to a single database in June 2014. CareFirst said it uses that database for members and other individuals to access CareFirst’s websites and online services.
“Limited personal information” was involved, including member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. Social Security Numbers, medical claims information and financial information were not affected.
Virginia Department of Medical Assistance Services (VA-DMAS)
The Virginia Department of Medical Assistance Services (VA-DMAS) reported to OCR on March 12, 2015 that a hacking incident related to a network server had occurred. The incident affected 697,586 individuals.
Georgia Department of Community Health
The Georgia Department of Community Health reported two separate incidents to OCR on March 2, 2015. Both were classified as “hacking/IT incident,” and reportedly involved a network server.
One incident affected 557,779 individuals, while the second affected 355,127.
Phishing scam exposes 300K individuals at Beacon Health
South Bend, Indiana-based Beacon Health System reported in May that “it was the subject of a sophisticated phishing attack,” and unauthorized individuals gained access to employee emails. Those emails reportedly contained “the personal and protected health information of some individuals, including patients.”
“Beacon continued an extensive review to determine if sensitive information was affected,” Beacon explained in the statement. “On May 1, 2015, Beacon was advised that protected health information was contained in the affected emails. While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes.”
Affected information included patient names, doctor names, internal patient ID numbers, and patient status (either active or inactive). While that was the majority of exposed data, Beacon added that Social Security numbers, dates of birth, driver’s license numbers, diagnoses, dates of service, and treatment and other medical record information could also have been accessed for some individuals.