Lessons Learned from the Biggest Healthcare Data Breaches in History

Healthcare Data Breaches Blog (3)Digital healthcare has been growing to satisfy the demands of an industry eager for healthcare technology that provides better physician collaboration and improved patient care. However, with every digital transformation comes challenges that can quickly turn into nightmares.

Where there is electronic protected health information (ePHI), there are hackers lurking in the dark web to steal this valuable information. Although this may sound like the plot of a bad horror movie, the frightening truth is that healthcare data breaches are on the rise. The Identity Theft Resource Center (ITRC) reports that total breaches in the U.S. increased by 40 percent between 2015 and 2016. You can learn from the biggest healthcare data breaches in history below to see how to better protect your healthcare organization and your patients’ ePHI.

The rankings below are listed from smallest to largest based on the number of affected individuals according to the U.S. Department of Health and Human Services Office for Civil Rights.

Newkirk Products: 3.47 million (August 2016)

New York-based Newkirk Products announced mid-2016 that more than 3.46 million patients were impacted from a hacking/IT incident in which a cyber attacker gained access to a server containing important health information. As one of the largest healthcare identification card issuers in the country, the company holds important health-plan information, including names, addresses, primary care physicians, birthdates and Medicaid ID numbers, all of which were compromised.

Best Practice: Invest in Data Protecting Software

The ghoulish truth is that 80 percent of application security defects can be detected during the testing phase, but once the software reaches the deployment stage, it is exponentially more difficult and expensive to fix. Organizations need to invest in protecting their servers using software that places security effectively in the design and application building levels.

Banner Health: 3.62 million (August 2016)

Just days before Newkirk Products’ announcement, Phoenix-based Banner Health released details of a cyberattack that affected 3.62 million of its patients, becoming the single largest healthcare data breach of 2016. In the hack, attackers gained unauthorized access to computer servers that were used to process payment card information through food and beverage outlets at certain locations within Banner Health. Compromised data included patient names, addresses, birthdates, appointment dates, physician information, health insurance information and Social Security numbers.

Best Practice: Choose the Right Third-party Vendor

Not all the pumpkins in the patch are rated equal. Choosing the right third-party vendor is vital to the protection of patient data and the reputation of the organization. Vendors must be evaluated with end-to-end encryption and a security-first design approach to meet the needs of HIPAA compliance.

Excellus Health Plan: 10 million (September 2015)

In mid-2015, Upstate New York healthcare company Excellus Health Plan discovered a data breach that turned out to be the third largest healthcare data breach in history. Affecting more than 10 million patients, the hack exposed highly sensitive data including Social Security numbers, medical data and financial information.

Best Practice: Increase the Security Standard

Anticipating HIPAA violations can often feel like weaving through a haunted house and waiting for the monsters to jump out around every corner. However, healthcare security shouldn’t incite fear. Instead, what should scare organizations is relying solely on HIPAA compliance for security instead of the minimum standard for protecting physical and digital healthcare information that it has now become. Healthcare organizations need to invest in stricter security standards such as those provided under HITECH and HITRUST.

Premera Blue Cross: 11+ million (January 2015)

Only a few weeks into 2015, Premera Blue Cross announced a cyberattack affecting over 11 million customers, making it the second largest healthcare data breach to-date. The Washington-based company revealed that the attack compromised patient information, including names, dates of birth, Social Security numbers, health care ID numbers, home and email addresses and work information like income data.

Best Practice: Create Stricter Portable Device Control

With the Internet of Things (IoT) exploding around the globe, the risk of so many unprotected connection endpoints on a single network is enough to spook any Health IT personnel. Healthcare companies need to crack down on the number of connected devices by creating stricter policies on BYOD as well as strengthening networks to handle the increasing number of healthcare-related devices and technology used within clinics and hospitals.

Anthem: 78.8 million (January 2015)

Indianapolis-based payer Anthem reported a data breach in early 2015 that resulted in the exposure of approximately 78.8 million patients, making it the largest healthcare data breach of all time. According to reports, hackers were able to bypass multiple layers of cybersecurity with a single phishing email that was sent and responded to by an employee of one of Anthem’s subsidiaries. As a result, attackers were able to download malware onto Anthem’s network and gain database access.

Best Practice: Make Employee Training a Priority

The frightening realization is that insider breaches continue to be the leading cause of security breaches in the healthcare industry with employee error or negligence accounting for 43 reported incidents in 2016 alone. To mitigate this growing risk, healthcare organizations need to invest in continuous employee training. When employees are better-educated on security best practices, cleverly disguised phishing emails will be reported, ultimately avoiding a future security breach disaster.

Share this entry
Contact Us