The ten largest healthcare data breaches reported so far this year all affected more than one million individuals each, totaling nearly 16 million individuals.
HIPAA requires covered entities to report healthcare data breaches of unsecured protected health information (PHI) to HHS’s Office for Civil Rights (OCR). All reported breaches are posted on the public OCR breach portal, sometimes called the HIPAA “wall of shame.” The portal provides information on the number of individuals affected, the breach submission date, type of breach, and the location of the breached information.
The breaches reported so far show that healthcare data breaches are not slowing down and are affecting more people. Last year one breach by itself affected over 10 million individuals when a third party vendor and HIPAA business associate, Blackbaud, was hacked. But there was only one other breach affecting a million individuals, and the other eight largest breaches in 2020 ranged from about 288,000 to 829,000 each.
The pandemic continues to overwhelm the healthcare system and cyber criminals are getting savvier. To date, the OCR breach portal shows over 550 covered entities that have experienced a healthcare data breach in 2021. In total, over 40 million individuals had their PHI exposed as a result of these breaches. Some believe the number to be much higher because not all breaches are reported even though the law requires it.
Florida Healthy Kids Corporation: 3,500,000
Health plan Florida Healthy Kids Corporation started the year by reporting the biggest healthcare data breach of 2021 to date on January 29. The breach impacted 3.5 million individuals, including many children.
20/20 Eye Care Network: 3,253,822
Florida-based 20/20 Eye Care Network reported a healthcare data breach to HHS on May 24. The Eye Care Network discovered suspicious activity on its Amazon Web Services (AWS) server on January 11, 2021.
20/20 notified the FBI immediately after it deactivated and reset access credentials. Some information was accessed and possibly deleted after a bad actor hacked into the provider’s AWS cloud storage environment to download and destroy data.
Over 3.2 million individuals were notified that their Social Security numbers, names, addresses, member identification numbers, birth dates, and health insurance information may have been exposed or deleted.
Other eye care providers have also been hit this year, revealing that specialty providers and retail chains can be vulnerable to cyber attacks.
Forefront Dermatology: 2,413,553
Forefront Dermatology, S.C., notified HHS on July 8 of a data breach that affected over 2.4 million. The dermatology practice discovered a network intrusion on June 4 and took its network offline.
However, between May 38 and June 4, an unauthorized party had access to Forefront Dermatology’s IT network and accessed files containing names, birth dates, patient account numbers, addresses, dates of service, provider names, medical treatment information, and medical record numbers.
NEC Networks, doing business as CaptureRx, experienced a healthcare data breach in February that affected over 1.6 million people through 16 separate healthcare organizations. CaptureRx is an IT vendor that helps healthcare systems manage their 340B drug programs.
The breach exposed patient PHI across multiple healthcare organizations, exposing prescription data, names, and birth dates.
Eskenazi Health: 1,515,918
Indianapolis-based Eskenazi Health notified HHS of a data breach on October 1. The breach was discovered on August 4 and led to significant EHR downtime and ambulance diversions.
Although initially, Eskenazi Health was unsure whether any PHI had been exfiltrated, as the investigation continued, the hospital later announced that bad actors stole and posted patient information on the dark web. Cyber criminals may have had access to the hospital’s network as early as May.
The Kroger Co.: 1,474,284
The Kroger Co. reported a healthcare data breach to HHS on February 19. The grocery chain was one of over 100 victims of the Accellion data breach, which occurred in December 2020 and impacted a dozen healthcare organizations.
Accellion’s File Transfer Application (FTA) was compromised when threat actors from Clop ransomware exploited zero-day vulnerabilities.
Accellion is now facing numerous lawsuits from individuals alleging that it failed to maintain adequate security.
St. Joseph’s/Candler Health System: 1,400,000
St. Joseph’s/Candler (SJ/C) Health System in Savannah, Georgia discovered a ransomware attack on June 17 that led to significant EHR downtime. Further investigation determined that the breach began on December 18, 2020. The hospital system’s computers and telecommunications systems were inaccessible, and clinicians had to document clinical notes on pen and paper.
As of September, SJ/C is facing lawsuits alleging that the Georgia health system was negligent in maintaining security and should have done more to prevent the attack, which went undetected for six months.
University Medical Center Southern Nevada: 1,300,000
University Medical Center Southern Nevada was hit with a ransomware attack in June that compromised files containing the personal information of 1.3 million individuals. The cyber criminals also posted photos of passports, Social Security cards, and driver’s licenses on the dark web for about a dozen individuals.
American Anesthesiology: 1,269,074
New York-based American Anesthesiology client information was exposed when an unauthorized party gained access to the email system of the practice’s business associate, MEDNAX.
Cyber criminals used a phishing attack to gain access to several email accounts for five days between June 17 and June 22 of 2020. The breach report was submitted to HHS on January 8. Patient contact information, health insurance information, treatment information, and billing information was impacted during the business associate breach.
In July, practice management vendor Professional Business Systems, doing business as PracticeFirst, announced that a 2020 ransomware attack had potentially exposed the PHI of patients and employees.
A threat actor attempted to deploy ransomware and successfully copied files from PracticeFirst’s system containing birth dates, names, addresses, Social Security numbers, email addresses, tax identification numbers, diagnoses, lab results, medication information, and employee usernames and passwords. The information was later deleted.
Prevent the Next Healthcare Data Breach
The year is not over, and more healthcare data breaches are likely. In fact, holidays are favored for attacks by cyber criminals, since organizations often have fewer staff working, and their attention may be elsewhere.
Pay attention, be sure to review your HIPAA checklist, review staff training, update and patch all software. Review and freshen your HIPAA Risk Analysis. The best defense against cyber crime is strong HIPAA compliance.