- While 2016 is not yet complete, there have already been approximately 250 reported cases of potential healthcare data breaches affecting more than 500 individuals submitted to the Office for Civil Rights (OCR).
The majority of these incidents are related to unauthorized access or disclosure. However, the four largest data security incidents were all reportedly caused by a hacking incident.
Out of the 243 incidents reported to the OCR so far this year, 81 were caused by a hacking or IT incident. The most common reported issue though was from unauthorized access or disclosure, with 102 reported cases. There were also 46 cases of theft, 10 incidents involving loss, and four caused by improper disposal.
Arizona-based Banner Health reported earlier this summer that it had experienced a cybersecurity attack potentially affecting approximately 3.6 million patients, members and beneficiaries, providers, and food and beverage outlet customers.
Banner discovered the incident on July 7, 2016, but said that the attack initially took place on June 17, 2016.
The cybersecurity breach affected “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets.”
Potentially affected patients may have had names, dates of birth, addresses, physicians’ names, dates of service, clinical information, and possibly health insurance information accessed. If Social Security numbers were provided, then those may also have been exposed, according to Banner.
For members and beneficiaries, they possibly had names, dates of birth, Social Security numbers, addresses, dates of service and claims information, and health insurance information as a current or former health plan member or beneficiary exposed.
With the food and beverage outlet customers, Banner said in its statement that payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. Possibly affected locations were in Arkansas, Arizona, Colorado, and Wyoming.
Newkirk Products, Inc. is a New York-based service provider that issues healthcare ID cards for health insurance plans. It announced in August 2016 that it experienced a data breach potentially compromising the information of approximately 3.4 million plan members.
While Newkirk maintained in its statement that no health plan systems were accessed or affected in any way, potentially accessed information included some combination of member names, mailing addresses, type of plan, member and group ID numbers, names of dependents enrolled in the plan, primary care providers, and in some cases, dates of birth, premium invoice information and Medicaid ID numbers.
“On July 6, 2016, Newkirk discovered that a server containing member information was accessed without authorization,” Newkirk explained. “Newkirk shut down the server, started an investigation into the incident and hired a third party forensic investigator to determine the extent of the unauthorized access and whether the personal information of its clients’ members may have been accessed. Newkirk also notified federal law enforcement.”
The service provider added that the access first occurred on May 21, 2016, but maintained that there was no indication that the data has been used inappropriately.
21st Century Oncology
Healthcare provider 21st Century Oncology submitted notification of a possible healthcare data breach in March 2016. The incident may have affected approximately 2.2 million individuals, according to the OCR data breach reporting tool.
21st Century explained in a statement that it was told by the FBI that one of its databases was inappropriately accessed on November 13, 2015.
A forensics investigation determined that the intruder may have accessed the database on October 3, 2015.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century said. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
There was no indication that medical records were accessed, but potentially affected information did include patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information.
Valley Anesthesiology and Pain Consultants (VAPC) announced in August 2016 that 882,590 patients may have had their information exposed when one of its computer systems was inappropriately accessed by an unauthorized party.
Certain patient information, provider information, and employee information may all have been possibly accessed, according to VAPC.
For patients specifically, their names, their providers' names, dates of service, places of treatment, names of health insurers, insurance identification numbers, diagnosis and treatment codes, and Social Security numbers in a few cases were potentially exposed.
“VAPC recognizes the importance of protecting the privacy and security of personal information, and regrets any inconvenience or concern this incident may cause,” VAPC said in a statement. “In addition to security safeguards already in place, VAPC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.”
The fifth largest potential healthcare data breach so far in 2016 was not due to a hacking or IT incident. Instead, South Carolina-based Bon Secours Health System, Inc. reported in August 2016 that patient files were left accessible on the internet back in April.
The incident occurred when a vendor - R-C Healthcare Management - inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
Bon Secours reported to OCR that 651,971 individuals were possibly affected.
Information that may have been exposed online included patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information. Bon Secours added that medical records were not included.
“We deeply regret any concern this may cause our patients,” Bon Secours said in an online statement. “To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained.”