This past year, healthcare organizations were hit by rising challenges to data security. A variety of industry companies were victimized and reported significant numbers of records put at risk by hackers. Here are the 15 largest breaches covered by Health Data Management this year.
Records affected: 2.6 million
A major cyber event at Atrium Health, a delivery system with more than 40 hospitals and 900 care locations in the Carolinas, affected more than 2.6 million patient records. Included in that total were about 700,000 affected individuals whose Social Security numbers were compromised and were offered credit monitoring services from Kroll.
West Des Moines, Iowa
Records affected: 1.4 million
A series of phishing attacks at UnityPoint Health tricked employees into providing confidential sign-in information for its email system. The attacks, believed to have occurred from March 14 to April 3, gave attackers access to internal emails. The organization did not discover that its business email system had been compromised until May 31, and about 1.4 million individuals were notified of the network breach that may have provided access to their data.
3.Augusta University Health System
Records affected: 417,000
Two cyberattacks at the health system, putting the personal and protected health information of approximately 417,000 individuals at risk. The health system worked with cybersecurity professionals to define the scope of the first breach and on July 31, 2018, determined that email accounts accessed earlier by an unauthorized person were the source of the large breach, which initially occurred on September 10 and 11, 2017.
Records affected: 276,057
Med Associates, a vendor offering claims processing services for providers in the Albany region of New York, recently notified 276,057 individuals about a data breach after a computer was hacked. The company discovered that a third party had accessed the computer remotely after an associate noticed that another user was logged into her workstation.
5.New York Oncology Hematology
Records affected: 128,400
A sophisticated phishing incident at a New York oncology and hematology practice went undetected for a week, affecting the protected health information of 128,400 individuals. Fourteen employee email accounts at New York Oncology Hematology in the Albany region fell victim to attackers between April 20 and April 27 as employees clicked on phishing emails, which exposed protected health information in the email accounts.
6.Center for Orthopaedic Specialists
West Hills, Calif.
Records affected: 85,000
The Center for Orthopaedic Specialists in the greater Los Angeles area—part of the Providence Health & Services delivery system—offered 85,000 patients a comprehensive suite of protective services after a ransomware incident earlier this year. The attack affected three of the center’s five sites, with malicious software deployed to gain access to and encrypt patient data.
7.Centers for Medicare and Medicaid Services
Records affected: 75,000
The Centers for Medicare and Medicaid Services reported unauthorized access to consumer data in systems that support federal insurance exchanges. The agency said the breach affected personal information of individuals who get their health insurance from Federally Facilitated Exchanges under the Affordable Care Act.
8.The Oregon Clinic
Records affected: 64,487
The Oregon Clinic, serving the Portland metropolitan region, on March 9 learned that an unauthorized party had accessed one of the organization’s email accounts, thus potentially gaining access to patient information. The clinic disabled the email account, launched an investigation and contracted with a digital forensics firm to assess the nature and extent of the breach.
Records affected: 36,305
Triple-S Advantage, the Blue Cross Blue Shield licensee in Puerto Rico, ran afoul of privacy and security regulations after mailing a large number of notices with protected health information to incorrect addresses. The insurer sent notification letters to 36,305 patients outlining the disclosure of protected health information after the error was discovered.
10.Decatur County General Hospital
Records affected: 24,000
Decatur County General Hospital, a 40-bed facility, offered 24,000 patients one year of credit monitoring services after its electronic health record system was hacked. The incident appeared to be a ransomware attack, although the organization did not use that term in the notification letter it sent to patients.
11.Minnesota Department of Human Services
Records affected: 21,000
About 21,000 individuals receiving health insurance through the Minnesota Department of Human Services were affected by a potential breach. The state agency is notifying those individuals that their protected health information may have been compromised following two phishing incidents at the department that occurred between June 28 and July 9. Hackers reportedly gained access to the state email accounts of two DHS employees and using the accounts to send out spam emails.
Records affected: 19,807
Criminals had access to patient data for more a month at NorthStar Anesthesia in Irving, Texas, via an email phishing attack. NorthStar learned of the attack on May 24 and engaged forensic investigators to assess the nature and scope of the breach and affected information. Forensics showed that unauthorized individuals gained access to certain employee email accounts between April 3 and May 24 and that the emails contained protected health information. NorthStar offered two years of credit and identity theft protection services.
Records affected: 18,000
UMC Physicians, part of the UMC Health System in Lubbock, Texas, notified 18,000 patients after the hacking of an employee’s email account. The organization’s information technology department discovered the attack on May 18 and notified local law enforcement and the FBI.
14.Independence Blue Cross, Philadelphia
Records affected: 16,762
The insurer alerted nearly 17,000 members after an employee put protected health information on to a public-facing website. The information was uploaded as a file accessible on the website for the plan, from April 23 to July 20. “After a thorough investigation, we are unable to determine if protected health information was accessed and are unaware of any actual or attempted misuse of this information,” the Blues plan explained in a notice.
Records affected: 16,000 individuals
HealthEquity, a custodian of more than 3.4 million health savings accounts, had a data breach after one employee’s email account was accessed by an unauthorized person. Two companies in Michigan that receive services from HealthEquity were affected by the breach.
16.Kansas Department for Aging and Disability Services
Records affected: 11,000
On February 23, the Kansas Department for Aging and Disability Services became aware of a potential breach of protected health information after an employee sent an unauthorized email containing personal health information to a group of current KDADS business associates.
Date: December 18, 2018