The blight of cybercrimes and data breaches is not leaving anytime soon.

Data breaches in healthcare have increased in both size and prevalence. When we see the last five years’ data, the healthcare industry ranks second as compared to other industries when it comes to data breaches.

In total, about 40 million healthcare records have been exposed so far in 2019 alone.

Why Healthcare Data Hacks are sensitive?

These health data breaches have caused a great deal of concern, especially when the information being exposed is highly sensitive and valuable in nature.

In particular, when loaded with someone’s health information, criminals can commit medical identity theft to see a doctor, get prescription drugs personally, obtain restricted drugs, or file claims under the victim’s name. The impact of health insurance fraud includes financial losses and limited access to healthcare.

READ MORE: The State of Healthcare Compliance in India

Hackers also sell the personal health information like Social Security Number, Credit/Debit card details, etc. in the black market which causes serious impact for the victim.

In this post, we disclose the largest hacks of healthcare data. We have listed them in chronological order, starting with the most recent one:   

Healthcare Data Hacks
Source: Freepik

LifeLabs (2019)

Breach Size: 15 M

In November 2019, Canada’s LifeLabs discovered unauthorized access to their IT systems that contained data from around 15 million patients.

On investigation, the officials revealed that the breached data also included lab results of about 85,000 customers from 2016 or earlier. The data also included health card information from the time duration.

Overall, the exposed data of 15 million individuals included names, numbers, emails, addresses, DOB, login information, health card numbers, and lab results.

Quest Diagnostics (2019)

Breach Size: 11.9 M

American Medical Collection Agency (AMCA) is a billing collections service provider that works with Quest Diagnostics. In June 2019, AMCA discovered that an unknown user had managed to access the data of its systems and steal the patient’s data of various entities, including Quest.

The data exposed included about 12 million patient’s data of Quest, involving financial data, Social Security numbers, and medical information.

Indian Healthcare Website (2019)

Breach Size: 6.8 M

In February, a shocking incident was revealed to the public, regarding hacker named fallensky519 stealing the data of 6.8 million users from an Indian healthcare website.

It was spotted that the data was kept on sale by the hacker in underground web markets for around seventeen hundred dollars. The data had personally identifiable information like names, numbers, and addresses as well as doctor and patient information. (2019)

Breach Size: 5 M is a US-based insurance marketing company that lets users get quotes on supplemental medical insurance. In May 2019, it was found that a part of the website containing marketing leads database of more than 5 million users was left open and accessible online.

The records contained the information including first and last name, full address, IP address, Email ID, DOB, gender, and marketing-related information. About 2,39,000 records also had insurance-related information, for example, cancer insurance.   

“Acronis is directly responsible for saving our company 1200 hours per year for IT operations staff in backup and recovery workflows.” CIO, high performance IT company.
Read details in a report by Forrester.

Atrium Health (2018)

Breach Size: 2.65 M

In September 2018, there was unauthorized access to databases that breached over 2.65 million Atrium Health patients’ data.

This was due to a cyberattack to databases hosted by AccuDoc Solutions Inc, a vendor that offers billing services to healthcare providers, including Atrium Health.

This company operates the online payment system of Atrium Health, that involves a network of 40 hospitals throughout North and South Carolina and Georgia.

Atrium Health’s impacted database, hosted by AccuDoc Solutions, consisted of patient information, including names, addresses, Social Security Number (in some cases around 700,000 were exposed), health information services, and more.

On revelation, access was terminated, and investigation was started by the officials.  

Health South East (2018)

Breach Size: 2.9 M

The Health South East RHF, the healthcare organization that manages many of Norway’s hospitals disclosed a comprehensive security breach in January 2018. On investigation, it was found that the data attack affected more than half of Norway’s population.

The exposure was due to a hacking attempt; however, it is unclear what information the hackers accessed.

UnityPoint Health (2018)

Breach Size: 1.4 M

A phishing attack on the business email system of UnityPoint Health compromised the data of 1.4 million patients. The organization faced another breach earlier in the year 2018 which then exposed more than 16,000 patient records.

UnityPoint was targeted with a series of phishing email attacks that looked like an email was sent from an executive from within the organization.

READ MORE: Rethinking data security: 5 ways encryption can help to protect your data

Banner Health (2016)

Breach Size: 3.62 M

Arizona’s Banner Health in mid-2016 disclosed a cyberattack that had breached the data of 3.62 million patients. The identification came after an employee detected unusual activity on the company’s private servers; thereupon, Banner hired cybersecurity experts to investigate.

The team discovered two attacks through which the hackers accessed patient and payment system data.

The exposed data included names, addresses, credit card numbers, expiration dates, birth dates, internal verification codes, Social Security numbers, doctors’ and healthcare information.

Medical Informatics Engineering (2015)

Breach Size: 3.9 M

In June 2015, Medical Informatics Engineering announced a suspicious activity on its server that affected more than 11 healthcare providers and 3.9 million patients. The information that was possibly affected included patient names, phone numbers, dates of birth, mailing addresses, Social Security numbers, and other sensitive information.

Anthem (2015)

Breach Size: 78.8 M

Anthem, Inc, was hit by a cyberattack in January 2015 that exposed as much as 79 million patients’ personal information. The breached data included the patients’ names, addresses, birthdates, email addresses, Social Security numbers, medical IDs, and employment and income information.

The data attack was expected to have started in 2014. The company agreed to pay the settlement of $115 million in 2017 and in 2018 and was charged with $16 million fine.

Premera Blue Cross (2015)

Breach Size: 11 M

Premera discovered a data breach in January 2015 that initially occurred in May 2014. A broad range of patient-related data from as far as thirteen years, that comprised medical records, bank account information, Social Security numbers, date of birth and other sensitive data. Overall, as many as 11 million people were affected.

Advocate Health Care (2013)

Breach Size: 4.03 M

Advocate Health Care handles 12 hospitals and more than 200 other treatment centers. In mid-2013, it discovered that multiple data breaches had revealed unencrypted medical records and personal information of about 4.03 million patients.

This breach happened due to the physical theft of four desktop computers from an administrative office.

Further, the company was charged with a settlement of $5.55 million.

Sutter Medical Foundation (2011)

Breach Size: 4.24 M

Sutter Medical Foundation is a not-for-profit health system based in Northern California. It suffered a data breach after a physical computer was stolen from a medical office that impacted 4.24 million patients.

The computer desktop had password protection but didn’t have an encryption which led to data breach. The breached data included personal and medical information, but not health plan or Social Security numbers.

Tricare (2011)

Breach Size: 4.9 M

About 4.9 million patients were affected by a health data breach including the stealing of backup tapes for electronic health records. The exposed data included Social Security numbers, addresses, phone numbers, and other sensitive data, but not financial data.

“Before the Acronis implementation, there was a huge risk that malware could take down our company. Now, with Acronis, I can say that we’ve done everything possible to protect our data from an attack.” CIO, high performance manufacturing company.
Read details in a report by Forrester.

Virginia Department of Health (2009)

Breach Size: 8.26 M

The Virginia agency, in charge of the online prescription database, acknowledged a data breach in May 2009. Its database was seized by a hacker that demanded $10 million to return its record. The database included more than 8 million patient records (including SSNs) and 35.5 million prescriptions.

Wrapping up – Be aware and encrypt all data using a strong risk-based approach

Where organizations of other sectors should focus more on preventing external hacking, the challenge in the healthcare industry is more internal.

READ NEXT: 10 healthcare data security measures everyone should implement

It is, therefore, more important that layers of defense are applied to defend your valuable healthcare data against cyberattacks. Furthermore, the data stored in a file system, moving across an online network or database need to be encrypted and backed up

Do your research while choosing a framework to protect your data.