The healthcare sector is particularly vulnerable to data breaches, experiencing some of the highest volumes of cyberattacks. The consequences of these breaches can be devastating regarding financial damage and compromised patient data.
Examining the biggest data breaches in the healthcare industry and their implications can provide valuable insights and lessons for organizations to strengthen their cybersecurity measures.
Date: September 2011
Impact: 5 million patients
The Tricare data breach stands as one of the largest breaches in the healthcare industry. Tricare, a healthcare program serving active-duty troops, their dependents, and military retirees, suffered this breach following the theft of backup tapes containing electronic health records. These tapes were stolen from the car of an individual responsible for transporting them between facilities.
This breach highlights the importance of adhering to stringent cybersecurity practices and ensuring the encryption of sensitive data.
Date: April-June 2014
Impact: 4.5 million patients
The Community Health Systems data breach was carried out by cybercriminals believed to be located in China. Exploiting a software vulnerability, they deployed sophisticated malware, leading to the theft of sensitive patient data.
To prevent similar breaches, educating employees about the warning signs of malware injection attempts and other common cyber threats in the healthcare industry is necessary.
Date: July 2015
Impact: 4.5 million patients
UCLA Health suffered a data breach that began in October 2014, although it initially appeared to lack malicious potential, in May 2015, a cyberattack compromised sensitive patient information.
A critical lesson from this breach is the need for timely reporting. UCLA Health was fined $7.5 million for failing to report the breach promptly, violating the breach notification protocol specified under HIPAA. Organizations should conduct thorough investigations to prevent reporting delays whenever suspicious network activity is detected.
Date: March 2022
Impact: 2 million people
Shields Healthcare Group experienced a data breach when an unknown cyberattacker accessed their network server. Although data compromise has not been confirmed, various types of sensitive data, including full names, social security numbers, birth dates, home addresses, provider information, diagnosis information, billing information, insurance numbers, medical record numbers, and other medical treatment information, are at risk.
This breach highlights the importance of a zero-trust approach to cyber threat investigation and the need for data exfiltration detection measures.
Date: May 2020
Impact: 3.3 million patients
Trinity Health fell victim to a ransomware attack attempt carried out against its third-party vendor, Blackbaud. Although Trinity Health successfully blocked the attack, the hackers managed to exfiltrate a subset of patient information data. Because the guarantee of permanent destruction of the stolen data could not be confirmed, Trinity Health treated the incident as a highly probable data breach.
To prevent incidents like these, organizations should implement a third-party vendor attack surface monitoring solution, refrain from complying with cybercriminal demands, and enhance incident response plans.
Date: January 2022
Impact: 1.3 million patients
Broward Health suffered a data breach through a compromised third-party medical provider with access to its patient database. It is speculated that the compromised device did not implement multi-factor authentication (MFA).
To prevent similar breaches, organizations should implement MFA across all endpoints, secure all privileged access management, and keep track of all endpoints connecting to the private network.
Date: July 2022
Impact: 2.6 million people
OneTouchPoint, a third-party mailing and printing vendor, suffered a data breach when its systems were illegally accessed. This breach exposed sensitive information from over 30 healthcare providers, including medical and patient records.
To prevent similar incidents, businesses should conduct annual reviews of their security policies, ensure all safeguards are current, and verify the HIPAA compliance of third-party contractors handling sensitive patient information.
Go deeper:
The Change Healthcare incident, orchestrated by the ransomware group ALPHV (also known as BlackCat), has been labeled "the most significant and consequential incident of its kind against the US healthcare system in history" by American Hospital Association President and CEO Rick Pollack. The hackers gained remote access to the company's Citrix portal, which lacked multifactor authentication, and stole six terabytes of sensitive data, including personal information.
The aftermath of this breach has been nothing short of catastrophic. Change Healthcare was forced to go offline, creating a backlog of unpaid claims that left hospitals and doctors' offices reeling from cash flow problems and threatened patient access to care. The financial impact on the company's parent, UnitedHealth Group, is estimated to exceed $1 billion, including lost revenue, recovery costs, and a $22 million Bitcoin payout to the hacker group.
A data breach is when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.
See also: HIPAA Compliant Email: The Definitive Guide