The healthcare industry has been under attack since the start of 2020, with the bad guys seeing sensitive PHI as a lucrative target to reap financial gains. Here, Toolbox lists down six mega healthcare data breaches of 2020. (And a no-brainer — ransomware and phishing was the leading cause of breaches.)
The healthcare industry has always been slow to learn, especially when it comes to cybersecurity. So when the pandemic hit, healthcare organizations scrambled to shore up their security capabilities. At the same time, cybercriminals were also busy taking advantage of the uncertainty to get their hands on one of the most valued and sought-after data types — healthcare data.
Dr. Zafar ChaudryOpens a new window , MD, senior vice president and CIO of Seattle Children’s, told Becker’s Health ITOpens a new window , “I believe the most dangerous trend in health IT today is medical device vulnerabilities. We’ve been talking about this for years. The COVID-19 chaos has triggered hackers to exploit the weaknesses that are seen in legacy medical devices. Many medical devices continue to use outdated operating systems such as Windows 7, making them an easy entry point into a hospital network for a hacker.â€
“Add to this the expanded use of telehealth and remote patient monitoring, and the plane of entry to a hospital’s network is widened further. I only see the situation getting worse unless we take remedial action soon,†he adds.
Breaches in the healthcare sector cost organizations an average of $7.13 million per breach — an increase of 10.5% from 2019, according to IBM’s oft-cited 2020 Cost of a Data Breach report. This is the highest average cost of breaches incurred by any sector. Despite this, only 23% of healthcare organizations had fully deployed security automation tools.
Healthcare data generally includes names, dates of birth, diagnosis codes, policy numbers, personal health information (PHI), etc. Given its sensitive nature, healthcare data is valued 10x-20xOpens a new window more than the value of credit card numbers. It can be used to purchase medical equipment through fake IDs, procure prescription drugs, or even sell on the dark web for a profit.
As a result, threat actors have been targeting organizations as well as individuals seeking to make the most of the technical perils associated with COVID-19.
While major healthcare data breaches dominate the news headlines all the time, there were five breaches where malicious actors used a different attack vector each time. And as expected phishing and ransomware remains the biggest cause of data breaches in 2020.
The global #COVID19Opens a new window pandemic has put a spotlight on cyber security for #healthcareOpens a new window . From #supplychainsecurityOpens a new window vulnerabilities to large-scale legacy #infrastructuresecurityOpens a new window breaches, the #healthOpens a new window and #pharmaceuticalOpens a new window industry is no s…
— Mark Brown (@markofsecurity) December 10, 2020Opens a new window
See Also: BFSI, Tech & Healthcare Biggest Targets for Hackers: KnowBe4
Toolbox’s Top Six Healthcare Data Breaches for 2020
1. Blackbaud Breach
Breach Impact: Around 3.4 Million Patients
According to DataBreaches.netOpens a new window , the Blackbaud ransomware incident (May 2020 – July 2020) is probably one of the biggest breaches of the year.
Cloud computing company Blackbaud was targeted in a ransomware attack in February, which remained undiscovered for three months until May. The incident was reported in July. It impacted the data of non-profit organizations, higher education institutions, K–12 schools, healthcare organizations, faith communities, and cultural organizations.
By September 2020, the incident had affected the personally identifiable information (PII) of over 3.4 million (and counting) patients. The number is likely to be much higher, considering only 14 of the 38 Blackbaud clients reported the repercussions of the incident to the government.
This includes healthcare organizations like NorthShore University Health System, Northwestern Memorial HealthCare, Richard J. Caron Foundation, Saint Luke’s Foundation, University of Florida Health, and the University of Kentucky HealthCare.
The company now faces multiple lawsuits.
2. Health Share of Oregon
Breach Impact: 654,000 Patients
The second-biggest breach of 2020 was caused by the lack of appropriate physical security over devices. ReportedOpens a new window just two days into 2020 before the COVID-19 struck, the breach occurred in November 2019.
Exposed data included the names, addresses, phone numbers, dates of birth, social security numbers, and Health Share ID numbers of members. Health Share of Oregon said no personal health histories were exposed.
Since the device (a laptop) was stolen from Health Share’s transportation vendor GridWorks, the coordinated care organization improved and updated the contractor auditing process. The CCO also offered credit monitoring, fraud consultation, and identity theft restoration free of charge for one year to all affected members.
4. Florida Orthopaedic Institute
Breach Impact: 650,000 Patients
A ransomware attack also caused the breach incident at the Florida Orthopaedic Institute (FOI). FOI discovered the breach when they found encrypted data stored on its servers.
The breachOpens a new window , discovered on April 9 and reported to the United States Department of Health and Human Services (HHS), may have involved exfiltration of data that included patients’ personal information.
Personal information impacted under the incident reportedly includes names, dates of birth, social security numbers, as well as appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, claims addresses, and FOI claims history.
FOI offered free credit monitoring to all affected individuals and also updated internal procedures. Law firm Morgan & Morgan alleged that FOI didn’t do enough to protect patient data and filed a class-action lawsuitOpens a new window seeking $99 million in damages.
See Also: Critical Flaw in GE Healthcare Imaging Devices Risks Patient Data
4. Magellan Health
Breach Impact: 365,000 Patients
Arizona’s Magellan Health was hit by a social engineering-driven ransomware attack in April 2020, which compromised one of its servers. Under the attack, the data of 365,000 patients and employees was stolen before being encrypted.
The attacker impersonated a Magellan client to access the company’s systems five days before the attack occurred. This means attackers had access to Magellan systems for five days before it was discovered and remediated. During that time, the threat actors exfiltrated records like personal information (name, address, employee ID number), W-2 or 1099 (Social Security number or Taxpayer ID number), health insurance account data & treatment, and a limited number of usernames and passwords.
Those impacted by the incidentOpens a new window were Magellan Health affiliates such as:
- Merit Health Plan – 102,748 patients
- Magellan Complete Care of Florida – 76,236 patients
- University of Florida Health Jacksonville – 54,002 patients
- Magellan Healthcare in Maryland – 50,410 patients
- Magellan Rx Pharmacy – 33,040 patients
- National Imaging Associates – 22,560 patients
- UF Health Shands – 13,146 patients
- UF Health – 9,182 patients
- Magellan Complete Care of Virginia – 3,668 patients
The company updated new security protocols and offered three-year free identity theft services.
5. BJC Healthcare
Breach Impact: 278,876 Patients
Three employees of the Missouri-based BJC Healthcare fell into a phishing trap in March, which led to a data compromise of over 250,000 patients. The attack also put 19 affiliated hospitals in jeopardy.
Attackers got access to the emails of three employees who had access to patient account numbers, medical records, medications and treatments, consultation dates, and other such clinical data. It also included Social Security numbers and health insurance data of some patients.
But fortunately, the attack was detected on the same day, and access to those emails was secured. It remains unclear whether the attacker managed to get hold of the data through the email accounts.
Nevertheless, data was exposedOpens a new window in the email hack and affected 19 BJC Healthcare affiliate hospitals, including Alton Memorial Hospital, Memorial Hospital Belleville, Parkland Health Center Bonne Terre, and St. Louis Children’s Hospital. The American Hospital Association reportedOpens a new window that phishing emails promising N95 masks or ventilators for sale are packed with malware and malicious links.
6. Universal Health Services
Breach Impact: Approximately 400 Facilities Across the United States, Puerto Rico, and the United Kingdom
Fortune 500 healthcare company Universal Health Services (UHS) was possibly hit by a ransomware attack in September 2020, which brought down its systems and reduced ‘medical staff to work with pen and paper,’ according to two UHS nurses who spoke to NBC NewsOpens a new window .
The attack caused extensive system and network outages, following which the company suspended access to its IT resources. The perpetrator of the attack was Ryuk ransomware, recently named the world’s most fearsome ransomware.
The attackOpens a new window also delayed lab reports and critical care delivery and caused UHS to redirect patients to other hospitals. While patient data was not impacted, the attack paralyzed the company’s healthcare network, which has approximately 400 facilities.
See Also: 71% Health Apps Plagued by at Least One High-Level Vulnerability: Intertrust
Special Mentions
Elite Emergency Physicians
Elite Emergency Physicians suffered a physical security incident caused by improper disposal of healthcare data of 550,000 patients by a third-party vendor.
PIH Health
California’s PIH Health suffered a phishing attack, which led to compromised email accounts of employees. This incident exposed the data of just under 200,000 patients.
University of California, San Francisco
The University of California San Francisco School of Medicine was attacked by NetWalker ransomware in June. The university shelled out $1.14 millionOpens a new window for a decryptor to unlock the servers that were encrypted under the attack.
European Medicines Agency
EMA recently suffered a cyberattack, according to a statementOpens a new window from the agency’s website. EMA is in charge of evaluating and supervising medicinal products being shipped to the European Union.
Details of the attack remain undisclosed as of now. However, “some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,†Pfizer and BioNTech jointly stated.
IBM uncoveredOpens a new window a global phishing campaign targeting organizations involved in the storage and supply chain of COVID-19 vaccines.
Conrad BandOpens a new window , chief information security officer of Children’s Hospital, Los Angeles, saidOpens a new window , “For those that plan to continue remote operations for the foreseeable future, the security perimeter is now likely more stretched than ever, reaching into peoples’ homes and as far as their IoT devices.â€
“Organizations with new remote and hybrid workforces will need to adjust their cybersecurity budget and strategy to accommodate this new normal, working to better protect their assets from evolving risks associated with maintaining a decentralized workforce. Additionally, they will need to adjust their strategies around training and awareness, asset management, vulnerability management, identity and access management, as well as data loss prevention, backups, and supporting policies,†Band adds.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!