The healthcare industry is a profitable target for hackers who wish to illegally obtain healthcare information of private individuals to then sell on the black market. According to some reports, healthcare information can be sold by hackers for nearly ten times the price of credit card numbers. Those who buy the information use it for nefarious purposes, such as committing identity fraud to buy medical equipment or drugs that can then be sold for a profit, or file fake claims with insurance companies.
Hospitals typically have unsophisticated or outdated security systems, and run on old computer systems, making them an easy target for hackers. Hackers are becoming increasingly aware of these lucrative targets, and as more and more healthcare providers switch to using electronic systems to protect their records, that means an increasing number amount of patients are at risk of fraud. According to a survey by the Ponemon Institute, which conducts independent research on privacy and data protection, 62% of healthcare organisations experienced a data breach in the 12 months prior to the survey. In another report, they evaluated the profit that hackers are making off such attacks to be up to $3.7 million per attack on a large organisation.
Here, we shall discuss some of the biggest known breaches in protected healthcare information (PHI) in the US. It is worth nothing that while hacking incidents and cyberattacks are actually responsible for a relatively small number of breaches, the number of records involved in each breach is large, and therefore most records are stolen through these types of attacks. It is also evident form the data 2015 was a historically bad year for attacks, with 4 of the top 5 breaches occurring.
- Anthem Blue Cross
In January 2015-one of the worst months on record for breaches-Anthem revealed that 78.8 million patient records had been stolen, the biggest breach in history. An unknown hacker accessed their database and stole information including names, birthdays, Social Security numbers, addresses, email addresses, and employment and income information. No credit card information or medical information was compromised in the attack. Anthem paid a historically large settlement of $115 million, which was used to pay for credit monitoring services for those who had their data stolen in the hack.
- Premera Blue Cross
Also in 2015, Premera Blue Cross announced that the medical information of 11 million customers had been compromised in a breach. Among the information taken by the attackers included Social Security numbers, bank account details, and medical records. It is the largest breach known which involved the medical information of patients.
- Excellus Bluecross Blueshield
In August 2015, Excellus, a not-for-profit healthcare insurance company, revealed that nearly 10 million of their customers had their private information compromised in a cyberattack on their systems. The attacks first gained access to their systems in December 2013, and accessed medical data, Social Security numbers, and financial information.
Around 4.9 million patients of TRICARE, the federal government’s military healthcare provider, had their data compromised in September 2011. The breach was announced by Science Applications International Corporation (SAIC), who oversaw TRICARE’s data security. Unlike most other large breaches of healthcare information, hacking was not to blame; the data was stolen from an employee’s car. Information stolen included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, but no financial data. Some of the data had been encrypted.
- University of California, Los Angeles Health
UCLA Health drew harsh criticism from data security experts when it announced that hackers had accessed the private information of 4.5 million patients, which the facility had failed to protect with encryption. The FBI was brought in by the medical network-which includes 4 hospitals and 150 offices-to assess the extent of the hacking incident after it was first discovered.
- Community Health Systems
Heartbleed-the infamous security bug-was blamed for the breach of 4.5 million patient records at Community Health Systems (CHS). CHS, an organisation of over 200 hospitals, stated that attackers used the vulnerability to gain access to user credentials, which were then used to login to the company’s VPN. Social Security numbers, addresses, names, and birthdays were stolen during the attack.
- Advocate Health Care
Advocate Health Care, a Chicago based organisation, was fined $5.5 million for three breaches it experienced in 2013-the largest fine for a HIPAA violation at the time. The largest of these three data breaches involved the theft of 4.03 million patient records, which were stored on four unencrypted laptops. The company had also experienced a large data breach in 2009; one of the reasons the fine was so large was that the organisation had failed to implement all of the corrective measures following this breach in time to prevent the litany of breaches in 2013.
- Medical Informations Engineer
Patients of nearly a dozen healthcare providers had their data compromised when Medical Informations Engineering (MIE) announced that it had suffered a data breach in July 2015. MIE, an electronic health records vendor, revealed that 3.9 million patients were affected by the breach. Stolen information included names, Social Security numbers, phone numbers, mailing addresses, dates of birth, diagnoses, and other sensitive information.
- Banner Health
Arizona-based healthcare provider, Banner Health, announced in August 2016 that 3.62 million patients had been affected by two cyber attack on their systems. The US Health and Human Service’s Office of Civil Rights announced that they were launching a federal investigation of this breach in early 2018. Initially, hackers gained access to the health provider’s food and beverage payment systems of the organisation and used this to gain access to other servers that contained individuals’ medical and personal information.
- Newkirk Products
Also in August 2016, healthcare ID-card issuer Nerkirk Products announced that hackers accessed the private information of 3.47 million clients through their system. The information compromised includes primary care provider information, sensitive personal information including Medicaid ID numbers, names (including those of dependents), dates of birth, premium invoice information, and group ID numbers, leaving many of the patients vulnerable to identity theft. However, the organisation stated that they found no evidence that the information had been used for nefarious purposes.