Nearly 95 percent of all medical and health care institutions have reported being victimized by some form of a cyber-attack.  The recent trend toward digitalization of healthcare records, increased sharing of electronic protected health information (ePHI), and new attempts by government agencies to centralize healthcare records and secure against attempted healthcare security breaches almost guarantee that the healthcare industry will see an increase in the number of, and the sophistication involved with, attempted cyber-attacks on this data.

In fact, according to a recent report released by the Health and Human Services Office of Civil Rights, an estimated 112 million were lost or compromised as a result of more than 250 known security breaches of healthcare industry records in 20151.  To put these numbers in perspective, the 112 million stolen records represent roughly 35% of the entire population of the United States2.

A recent data breach study estimates that these security breaches cost the healthcare industry more than $5.5 billion each year; this number is expected to continue to grow as new EMR and ePHI technology continues to be developed and adopted by the healthcare industry.

Analyzing healthcare security breaches occurring in 2015, it appears that nearly 40% were reported to have occurred as a result of “unauthorized access.”  Further in-depth analysis of the top 10 security data breaches show that over 90% were reported to be a result of incidents that were classified as “Hacking or IT incidents”; these incidents, when combined with security breaches classified as “theft,” accounted for nearly 50% of all health care security data breaches occurring in 20151.

Healthcare Security Data Breaches Continue in 2016

While the first half of 2016 appeared to be mostly free of industry-grabbing data breaches, progress came to a screeching halt when a database containing over 9 million health insurance records appeared for sale on a darknet peer-to-peer marketplace(3).

Image

Other notable healthcare data breaches that occurred in 2016 and were reported by the HIPAA Journal include:

  • Potential access and/or theft of over 2.2 million patient’s data files from the cancer treatment provider, 21st Century Oncology.
  • Over a combined 600,000 patient’s ePHI records compromised through stolen, unencrypted laptops.
  • An estimated 265,000 patient records illegally hacked via malware at Bizmatics, the electronic medical records management company.

To date in 2016, the Department of Health and Human services’ OCR has received 142 reported health care breaches; one report less than the 143 that reported during the same time period last year (2015)(3). 

Where Healthcare Security Attacks Are Occurring

The rapid development of medical technology and the sheer magnitude of the healthcare industry create a virtual “wild west” for hackers looking to capitalize from data maliciously seized through the loopholes they exploit.  An analysis released by the SANS Institute showed the specific types of healthcare organizations compromised and IP traffic originating from the organization. In studying nearly 50,000 data breach events, SANS concluded that imaging software, video systems and digital conferencing programs, VPNs, firewalls, and routers are all able to be compromised and expose secure health care records.

Recent Case Studies

Cyber-hackers are looking at the healthcare industry and considering healthcare organizations an easy target, especially when compared to the banking, industrial, and retail sectors, according to Lynne Dunbrack, research vice president of IDC Health Insights, a health IT research and consulting firm4.  With healthcare historically investing less in the security of their IT, and as the value of individual’s private health records on the darknet continues to increase, even the largest companies in the healthcare industry have fallen victim to data breaches.  The following case studies are examples of what is now becoming the norm in the healthcare industry, millions of private records compromised as a result of security data breaches.

Image

Anthem; Second Largest Health Insurer in the United States: 80 Million Records Compromised

Anthem was the victim of the largest data breach in the healthcare industry (to date).  In the  cyber-attack, occurring in December 2014, Anthem found that hackers might have stolen the names, Social Security numbers, addresses, income data, and health care identification numbers of nearly 80 million customers.  In addition, and perhaps equally as concerning, was the fact that Anthem believed, but could not confirm, that medical records or credit cards of customers were compromised5.

Premera Blue Cross; Medical Insurance Company: Over 11 Million Records Compromised Via Hacker Breach

Early in 2015, over 11 million customers’ data records were compromised as a result of illicit access to Premera Blue Cross’ networks by an unknown hacker. While information compromised was very similar to the Anthem data breach, Premera announced that this data breach might have also compromised customers’ banking information and detailed insurance claims of customers dating as far back as 2002.

TRICARE; 4.9 Million Patient Records Stolen from Employee’s Car

In perhaps one of the most unique incidents of compromised health care records, 4.9 million healthcare records were compromised when the car of a TRICARE subcontractor was broken into; electronic backup tapes containing the patient records were among several items stolen from the car.  Although not a clear case of a cyber-attack, what makes this case most interesting is the reasoning put forth by a federal judge when dismissing lawsuits brought about because of this lost data.  Specifically, the judge dismissed the suits by concluding that the loss of data, without clear proof that said data was misused, is not enough to award damages to those bringing the suits5.

Community Health Systems; Operates 200 United States Hospitals: 4.5 Million Patient Records Compromised

Community Health Care Systems fell victim to a cyber-attack resulting from hackers exploiting Heartbleed, a known SSL vulnerability.  As a result, 4.5 million patients had their names, dates of birth, and Social Security numbers potentially stolen in a cyber-attack that may have been connected in some way to the Anthem data breach.

Banner Health; Owns and Operates Nearly 30 Hospitals and 3 Teaching Medical Centers: 3.7 Million Patient Records Compromised 

Just this month, a data breach at Banner Health compromised at least 3.7 million people; the information included the names of patients and their physicians, Social Security numbers, and health insurance information.  In a new twist, and for one of the first times ever, information gathered from purchases made at vending machines, including cell phone and payment data, was also compromised.  Banner Health has yet to determine how hackers were able to infiltrate the organization’s servers and computer systems.

Mass General Hospital; 4,300 Patient Dental Records Stolen From Third-Party Vendor

The Mass General Hospital data breach demonstrated that even utilizing the services of a third party vendor hired to assist with management of patient data information leaves the organization open to data breaches and theft of patient information. Mass General Hospital (MGH) contracted with Patterson Dental Supply, Inc. (PDSI), specifically for the purpose of safely and securely managing  their patients’ data.  Instead, MGH found that even the outsourcing of patients’ data is not immune from cyber-attacks and data breaches; specifically, PDSI databases were hacked and 4,300 patient dental records, medical id numbers, Social Security numbers, and other identifying information was stolen and/or compromised.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]