The Top 10 Healthcare Data Breaches of 2017, So Far

16 May, 2017

hacker4.jpgHackers are increasingly finding that the healthcare industry is a juicy source for stealing personal data. Healthcare providers maintain much more detailed information on individuals than do financial institutions, and the information is often easier to get at due to healthcare’s lack of robust IT infrastructure.

To learn more about why healthcare organizations are attractive targets for hackers, read our recent blog, Why Healthcare Gets Hacked. 

According to the breach website maintained by the Office for Civil Rights of the Department of Health and Human Services, the top breaches so far this year include:

1. Commonwealth Health Corporation

Individuals Affected: 697,800

Type of Breach: Theft

Location of Breached Information: CD/USB drive

Commonwealth Health is a healthcare provider based in Kentucky. During the course of an internal investigation on March 21, 2017, they reported that a former Med Center Health employee had, on two occasions during their employment, obtained patient information under the premise that the information was needed to carry out their job duties.

The information included patients’ names, addresses, social security numbers, health insurance information, diagnoses and procedure codes and charges for medical services.

2. Urology Austin, PLLC

Individuals Affected: 279,663

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

data-breach.jpgUrology Austin, a Texas-based healthcare provider, announced that it experienced a ransomware attack on January 22, 2017, which potentially exposed patient data that was stored on a compromised server. Potentially affected information included patient names, addresses, dates of birth, social security numbers and medical information. Urology Austin said that it became aware of the incident within minutes of the attack, shut down its computer network, and started an investigation.

A representative from the organization said that they did not pay the ransom and were able to restore patient information from a backup.

3. Harrisburg Gastroenterology Ltd

Individuals Affected: 93,323

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

Harrisburg Gastroenterology is a gastronintestinal care practice in central Pennsylvania focused on the diagnosis and treatment of digestive diseases such as Crohn’s Disease, Ulcerative Colitis, Irritable Bowel Syndrome and Gastroesophageal Reflux Disease. According to their website, on March 17, 2017, following an investigation of potentially suspicious system activity, they determined that an unauthorized individual “could have potentially accessed Harrisburg Gastroenterology’s patient information.” Although the organization did not have any specific evidence that an unauthorized individual had accessed or obtained patient information from their systems, they nevertheless notified their patients of the breach.

Their website reports that the affected records contained names, demographic information, social security numbers, health insurance information, diagnostic information and clinical information.

4. VisionQuest Eyecare

Individuals Affected: 85,995

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

On April 27, 2017, VisionQuest Eyecare sent a letter to almost 86,000 patients. The letter states that on January 22, VisionQuest Eyecare discovered that their network had become the victim of a cyberattack. The letter states that, “It is possible that your private information including name, address, phone number, date of birth, social security number, health or vision information, medical claims data and clinical information (Protected Health Information) may have been compromised as a result of this cyberattack on our network.”

The letter goes on to state that the organization has invested in multiple technology solutions in order to mitigate further risk of a data breach.

5. Washington University School of Medicine

Individuals Affected: 80,270

Type of Breach: Hacking/IT Incident

Location of Breached Information: Email

hacker2.jpgOn March 24, 2017, the Washington University School of Medicine posted a notice on their website stating that information about some of their patients may have been accessed by an unauthorized third party due to an email “phishing” incident. The notice reported that on January 24, 2017, the medical school learned that some of its employees responded to a December 2, 2016 “phishing” email, believing it to be a legitimate request. A “phishing” email is designed to look like a legitimate email but tricks the recipient into taking some action, such as providing login credentials.

Following discovery of the incident, the school conducted a detailed review of the employees’ email accounts and confirmed that some of the emails contained patient information, which may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and in some instances, social security numbers.

6. Emory Healthcare

Individuals Affected: 79,930

Type of Breach: Hacking/IT Incident

Location of Breached Information: Database

Emory Healthcare utilizes an application called Waits & Delays to update patients regarding their appointments. The database contains patient information including names, dates of birth, contact information, internal medical records, and basic appointment information such as dates of service, physician names and whether patients required imaging. The database does not contain patients’ social security numbers, financial information, diagnosis or other electronic medical record information.

On January 3, 2017, Emory Healthcare learned that there had been unauthorized access to the Waits & Delays database over the New Year’s weekend when someone deleted the database and demanded that Emory Healthcare pay to have it restored. In addition to the extortion attack on the database, Emory Healtcare also learned that there was another unauthorized access by an independent security research center that searches out vulnerabilities in applications and traditionally notifies the company, so that it can be remedied.

In a statement provided to the blog Databreaches.net, Emory says it did not pay the ransom demanded by the attacker.

7. Stephenville Medical & Surgical Clinic

Individuals Affected: 75,000

Type of Breach: Unauthorized Access/Disclosure

Location of Breached Information: Desktop Computer

Although not a lot is known about it, Stephenville Medical & Surgical Clinic in Stephenville, Texas reported that a security breach impacted 75,000 individuals. The incident involved the unauthorized accessing of a desktop computer.

8. Primary Care Specialists, Inc.

Individuals Affected: 65,000

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

hacker3.jpgOn February 27, 2017, Primary Care Specialists, Inc. (PCS) was the victim of a cyberattack in which an unauthorized, unknown third party encrypted two data servers. On March 3, 2017, PCS determined that a malware attack may have affected protected health information of historical patient medical records, including patient medical files. The types of protected information potentially involved in the incident include names, birth dates, addresses, insurance and payment information, social security numbers and medical information.

9. ABCD Pediatrics, P.A.

Individuals Affected: 55,447

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

During the morning of February 6, 2017, an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD’s servers. Upon discovery, ABCD immediately contacted its IT company and ABCD’s servers and computers were promptly moved offline and analyzed. ABCD’s IT company identified the virus as “Dharma Ransomware,” which is a variant of an older ransomware virus called “CriSiS.” ABCD’s IT company reported that these virus strains typically do not remove data from the server, however, exfiltration could not be ruled out. Also, during the analysis of ABCD’s computers and servers, suspicious user accounts were discovered suggesting that hackers may have accessed portions of ABCD’s network.

The compromised information included patient names, addresses, telephone numbers, birth dates, other demographic information, social security numbers, insurance billing information, procedural technology codes, medical records and laboratory reports.

10. WellCare Health Plans, Inc.

Individuals Affected: 24,809

Type of Breach: Hacking/IT Incident

Location of Breached Information: Network Server

WellCare Health Plans reported that it was alerted on December 27, 2016, that Summit Reinsurance Services, WellCare’s former reinsurance services provider, experienced a ransomware attack to its file server on August 8, 2016. Summit reported that the encrypted information may have included names, birth dates, addresses, member IDs, diagnoses, provider names and locations and social security numbers.

While many ransomware infections occur randomly as a result of employees opening malicious email attachments or from visiting malware-infected websites, in this case the investigation into the breach revealed that access to SummitRe’s system was first gained on March 12, 2016, approximately five months prior to ransomware being installed. That suggests the hacker had time to view sensitive information stored on SummitRe’s system and installed ransomware when there was no further need for system access.

Unreported Breaches

It’s possible that this list will change as some breaches have likely not been discovered yet. Protenus Inc., a provider of patient privacy analytics, has reported that the average time to discover a protected health information (PHI) data breach is 233 days. It’s also possible that there are additional data breaches that have been detected, but that the organization is waiting to report until they have done more investigation and can hopefully provide some positive information, such as that there was likely no unauthorized use of PHI.

To find out how a virtual data room secures sensitive information click here.