The healthcare industry is quickly becoming the prime targets for hackers. In the last 5 years alone, the cybersecurity ecosystem has seen a rise in healthcare data breaches – in terms of both frequency and size. The year 2018 is already becoming a year of healthcare data breaches as out of the 250 total number of breaches reported by the Identity Theft Resource Center (ITRC), 67 of those were on the healthcare industry comprising a total of 787,756 number of records ( as on 27th March 2018).

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyber attack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker. (Source)

Healthcare Data Breaches – What’s the motive?

A recent analysis by SecurityScorecard, a security rating and continuous risk monitoring platform, ranks the healthcare industry 15th in overall security rating when compared to 17 other major U.S. industries. “Last year took a toll on the overall cybersecurity confidence in healthcare organizations, with dozens of ransomware attacks, and data breaches. It’s no surprise that our research team found healthcare organizations are behind in proper network and endpoint security protocols,” said Jasson Casey, CTO, SecurityScorecard.

“As we move through 2018, healthcare organizations need to get back to the fundamentals of good cybersecurity hygiene by keeping up with patching schedules and outfitting the organization with enough personnel to accomplish this goal.”

Key Insights from the report:

1) The healthcare industry is one of the lowest performing industries in terms of endpoint security, posing a threat to patient data and potentially patient lives.

2) Social engineering attacks continue to put patient data at risk.

3) 60 percent of the most common cybersecurity issues in the healthcare industry relate to poor patching cadence.

4) All healthcare organizations struggled with patching cadence and network security.

The motive seems clear from the above analysis. The thing with the healthcare industry is – be it Hospitals, Doctors’ Clinics, Nursing Homes & Assisted Living Facilities, Outpatient clinics and other healthcare providers, they all have one thing in common – the juicy details of patient information.

These details include personally identifiable information such as social security numbers, names, and addresses to sensitive health data such as Medicaid ID numbers, health insurance information, and patients’ medical histories. These can then be used for ‘Identity Theft‘ probably more than any other industry.

To give you further insights on how bad the situation is, here’s a recap to some of the biggest healthcare data breaches of all time. These are reported according to the U.S. Department of Health and Human Services Office for Civil Rights (listed as per size, from the smallest to the largest in terms of the no. of individuals affected):

Top 10 Healthcare Data Breaches of All Time

10. NewKirk Products

Time of occurrence: August 2016

Number of patients affected: 3.47 million

What exactly happened: According to a press release issued on August 5,2016, Newkirk Products, Inc. announced a cyber security incident involving unauthorized access to a server containing certain personal information. The information included the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number.

The intruder exploited a weakness in the administrative portal of the 3rd party software on the single isolated server, and gained unauthorized access to the system.

9. Banner Health

Time of occurrence: August 2016

Number of patients affected: 3.62 Million

What exactly happened: Banner Health discovered unusual activity on its computer servers in late June and uncovered evidence of two attacks, with hackers accessing both patient records and payment-card records of food and beverage customers. Banner Health officials said the attackers sought payment-card data, including cardholder name, card number, expiration date and internal verification codes of cards that were used at some Banner Health locations from June 23 through July 7.

8. Medical Informatics Engineering

Time of occurrence: July 2015

Number of patients affected: 3.9 Million

What exactly happened: Medical Informatics Engineering acknowledged that in May 2015, they were the target of a sophisticated cyber-attack that affected at least 11 healthcare providers and 3.9 million patients. Affected patients received a notice in the mail, that their personal information – names, Social Security numbers, phone numbers, mailing addresses, dates of birth, diagnoses, and other sensitive info – had been stolen.

7. Advocate Health Care

Time of occurrence: August 2013

Number of patients affected: 4.03 Million

What exactly happened: Advocate Health Care reported three separate data breaches that occurred between July and November 2013, involving Advocate Medical Group, a physicians’ group with more than 1,000 doctors. The first breach occurred early July 15 when four desktop computers containing records of nearly 4 million patients were stolen from an AMG administrative office in Park Ridge, Illinois.

The second breach involved an unauthorized third party getting access to the network of a company that provides billing services to AMG between June 30 and August 15, 2013, which potentially compromised the health records of more than 2,000 AMG patients, according to the agreement.

Then, on Nov. 1, 2013, an unencrypted laptop containing patient records of more than 2,230 people was stolen from a car belonging to an AMG staffer, the agreement said.

In August 2016, Advocate agreed to pay $5.55 million to settle a lawsuit related to the breach.

6. Community Health Systems

Time of occurrence: April-June 2014

Number of patients affected: 4.5 Million

What exactly happened: In mid- 2014, Community Health Systems, which operates 206 hospitals across the United States, announced that hackers recently broke into its computers and stole data on 4.5 million patients. Hackers had gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years — or was merely referred there by an outside doctor — was affected by the hack.

5. University of California, Los Angeles Health

Time of occurrence: July 2015

Number of patients affected: 4.5 Million

What exactly happened: Marking another high-profile data breach in 2015, hackers broke into UCLA Health System’s computer network and had accessed sensitive information on as many as 4.5 million patients. The information contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas (Source).

4. TRICARE

Time of occurrence: September 2011

Number of patients affected: 4.9 Million

What exactly happened: In late 2011, TRICARE reported a massive data breach in which the personal and medical records of millions of military patients and their families were compromised. This happened when the records were stolen out of a data contractor’s car in San Antonio. The records were in the car, because they were “being transferred from one federal facility to another in compliance with the terms of their contract.”

TRICARE officials said that the data on the tapes include Social Security numbers, addresses and phone numbers, and some personal data such as clinical notes, laboratory tests, and prescriptions. The officials further added that no financial data, such as credit card or bank account information, were on the tapes.

3. Excellus BlueCross BlueShield

Time of occurrence: September 2015

Number of patients affected: 10+ Million

What exactly happened: Another major healthcare company to let hackers pry open its grip on patients’ data in the year 2015 was Excellus Blue Cross Blue Shield, with as many as 10 million people’s personal records exposed. Excellus had revealed that in August 2015 it discovered a nearly 2-year old intrusion campaign in its network that gave hackers access to potentially all its customers’ records.

That data includes names, birth dates, Social Security numbers, mailing addresses, telephone numbers, and a variety of account information including claims and financial payment details that included some credit card numbers.

2. Premera Blue Cross

Time of occurrence: January 2015

Number of patients affected: 11+ Million

What exactly happened: In mid-March of 2015, Health insurer Premera Blue Cross said that it was a victim of a cyberattack that may have exposed medical data and financial information of 11 million customers. It said the attackers may have gained access to data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014.

Medical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential, it can also be used to engage in insurance fraud.

“Medical records paint a really personal picture of somebody’s life and medical procedures. They allow you to perpetrate really in-depth medical fraud.” – Dave Kennedy, an expert in health care security (Source).

1. Anthem Blue Cross

Time of occurrence: January 2015

Number of patients affected: About 79 million

What exactly happened: The month of January 2015 was a historically bad month for healthcare data breaches. In the biggest healthcare breach to date (and, hopefully, ever), Anthem disclosed that 78.8 million patient records had been stolen on January 29, 2015.

An unknown hacker had accessed a database containing personal information, including names, birthdays, social security numbers, addresses, email addresses and employment and income information. The attack did not compromise credit card information or medical information, the company said.

In late June 2017, Anthem Inc, had agreed to settle litigation over hacking in 2015 for $115 million, which lawyers said would be the largest settlement ever for a data breach. The breach is one of a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies in recent years, including Target Corp, which agreed to pay $18.5 million to settle claims by 47 states in May 2017, and Home Depot Inc, which agreed to pay at least $19.5 million to consumers in 2016.

Final Thoughts

This post comes at a time when we just celebrated World Health Day which was on 7th April 2018. The idea is to call on world leaders to live up to the pledges and commit to concrete steps to advance #HealthForAll. As the world becomes more and more connected, with the proliferation of the Internet of Things and the average doctor and patient becoming more connected to each other, we’ll experience an even greater influx of data in the coming days.

Now is the time when #HealthForAll should also mean #HealthcareDataSecurityForAll.

The need of the hour is to be aware and deploy good security measures and best practices. The key to winning against cyber attacks is to constantly test your own security architecture and never, ever, become complacent.

Appknox | Mobile App Security, Resources, Best Practices & News Never-worry-about-your-business-getting-hacked-1024x535 Top 10 Healthcare Data Breaches of All Time Security