The number of healthcare cybersecurity breaches is on the rise with tens of millions affected in larger breaches, but hackers may target even regional insurers, smaller healthcare facilities, pharmacies, and individual physician’s offices. These breaches put medical facilities, insurers, and practitioners in the hot seat because they are liable for the security of the information they gather.
Protected Health Information is Invaluable
When there’s a data breach of this type, Protected Health Information (PHI) is at risk. The Department of Health and Human Services defines PHI as “individually identifiable health information” that is transmitted or maintained in physical form or via electronic media. It includes:
Patient records created by providers, health plans and clearinghouses, and employers
Relates to past, present, or future mental or physical health concerns and treatment
Can be used to identify the individual
The three most common locations of PHI theft are hospitals, urgent care clinics, and pharmacies.
Why Cybercriminals Target Health Data
It’s not usually the medical information itself that entices cyberthieves - it’s the identifying data. PHI includes names, addresses, Social Security numbers, employment information, date of birth, and images of vital documents like drivers’ licenses and insurance cards.
With that info in hand, identity thieves have everything they need to wreak havoc. Victims of data breaches often ditch their doctors, change insurers, and hire lawyers to sue those they feel are responsible for not protecting their PHI. This can be problematic for all those in the healthcare industry.
According to consulting firm Accenture, at least one in four consumers have had PHI stolen in a healthcare cybersecurity breach. What’s more stunning is that half of those who had data stolen fell prey to identity theft and paid, on average, $2,500 in out of pocket costs as a result.
Thieves use stolen data to obtain fraudulent health care, commit medical fraud, or get prescription drugs, but mostly, to steal identities. In short, cybercriminals steal healthcare data solely for profit. And rather than getting rarer, healthcare cybersecurity breaches are growing in frequency.
Top 5 Healthcare Cybersecurity Breaches
How are data thieves illicitly accessing healthcare information? Scammers use phishing emails, weaponized ransomware, and misconfigured cloud storage buckets, among other tactics. As cybersecurity protections evolve, so do the hackers as they find newer and more creative ways to steal PHI and put everyone, from patients to practitioners, and everyone in between at risk.
Rated by the number of records stolen, the five biggest healthcare breaches of all time are:
#5 Community Health Systems (2014)
Records stolen: In this cyberattack, 206 CHS hospitals across 29 states saw 4.5 million patient records exposed.
Breach method: Rumored to be an attack by Chinese cyberthieves known as APT 18, a test server containing VPN credentials was attacked via Heartbleed, a bug in the OpenSSL platform. The stolen credentials allowed access to PHI.
Length of breach: This was a two-pronged breach with attacks in both April and June of 2014.
Breach detection: Details were not released.
HIPAA compliance: CHS maintains there was no HIPAA violation because medical information wasn’t stolen, only personal data. Even so, OCR levied fines of more than $10 million.
Fallout: Some experts estimate the end cost will be $75-150 million to CHS.
#4 UCLA Health (2015)
Records stolen: The stolen data included more than 4.5 million patient and hospital staff records from UCLA’s care network including four hospitals and 150 individual offices.
Breach method: UCLA has not revealed the method hackers used to breach their system.
Length of breach: Hackers were inside the UCLA Health System network for approximately a month, but breach confirmation didn’t happen for nine months.
Breach detection: The cyber attackers triggered a network alarm that alerted UCLA to the breach.
HIPAA compliance: UCLA Health System failed to timely notify affected patients, employees, the HHS, and the media about the breach.
Fallout: Two class-action lawsuits emerged from this breach. The data accessed by hackers was not encrypted despite UCLA saying its systems are under “near constant” attacks.
#3 Excellus BlueCross BlueShield (2015)
Records stolen: An estimated 10-10.5 million customers of Excellus had their identifying data stolen including Social Security numbers, personal data, credit card information, and even patients’ medical histories.
Breach method: Forensic analysis found malware within Excellus’ systems.
Length of breach: The breach began in December 2013 and may have lasted more than 20 months.
Breach detection: Excellus found the breach in 2015 as part of a review of its systems triggered by other medical cybersecurity attacks.
HIPAA compliance: The company failed on this measure because although data was encrypted, the breach came via an administrative decryption key.
Fallout: Excellus faces numerous lawsuits by patients that fell victim to identity theft, tax fraud, and credit fraud.
#2 Premera Blue Cross (2015)
Records stolen: More than 11 million records were accessed medical and financial information including bank account and Social Security numbers, plus identifying and medical claims data in the second largest healthcare cybersecurity breach of all time.
Breach method: A website named prennera.com intended to trick employees targeted by a funded espionage group to download malware.
Length of breach: The breach wasn’t detected for 10 months although federal auditors warned Premera of vulnerabilities.
Breach detection: Primera didn’t publicize details of how they detected the breach.
HIPAA compliance: For breaching HIPAA and unintentionally disclosing PHI, Premera will likely pay millions in fines.
Fallout: Five class action lawsuits were filed alleging breach of contract, violations of consumer protection laws, and failure to make timely disclosure of the breach.
#1 Anthem (2015)
Records stolen: Hackers stole nearly 79 million patients records in the biggest healthcare cybersecurity breach of all time. Data stolen included names, Social Security numbers, dates of birth, and home addresses.
Breach method: A fake website and phishing email tricked Anthem employees into downloading malware that enabled this massive data breach.
Length of breach: The breach went unnoticed for six weeks beginning in December 2014.
Breach detection: A database administrator discovered the hack when he noticed improper use of his credentials.
HIPAA compliance: OCR fines were anticipated to reach $1.5 million for the immense HIPAA violation.
Fallout: Anthem paid $115 million to settle lawsuits triggered by the breach, but this amounted to a paltry $50 payout per person or the option of two years of credit monitoring.
If your PHI does wind up on the black market after a data breach, your electronic health record could sell for $1.50-$10, according to CSO. But don’t let that reasonable price fool you. The average profit per stolen record is $20,000 if the buyer can commit medical billing fraud, identity theft, and other shady activities.
About 90% of physicians maintain electronic health records. With roughly 326 million people in the US, that means there are roughly 293 million records at risk of breach. If you add up all these top five breaches, that’s 109 million records which equates to nearly 40% of all medical records in existence, assuming none of the breached files overlapped.
Healthcare security breaches continue to be problematic for insurers, practitioners, and everyone in the industry. Attempted attacks numbers in the millions each day and, unlike other industries, roughly 58% of intrusions are the result of insider error or misuse, says a healthcare data breach study by Verizon. Are you ready?