Security Breaches in Healthcare: Lessons Learned From 5 Recent Cases
Jake Olcott | August 16, 2016
There have been a number of large security breaches in healthcare over recent years. Indeed, 89% of healthcare organizations have experienced a data breach in the past three years, and more than 32 million people had their protected health information (PHI) breached in 2019.
Why healthcare is vulnerable to security breaches
Spurred by digital transformation, the cybersecurity landscape in the healthcare sector is a perilous one. Our own research found that healthcare organizations have much to do to improve their security postures: 50% of these companies are at a high likelihood of experiencing a data breach due to out-of-date or unpatched systems, insecure access points, existing malware infections, or other vulnerabilities.
Third- and fourth-party contractors in the healthcare sector also pose a significant threat, especially given the increased dependency on outsourced services such as billing and records. Furthermore, greater interaction with cloud service providers, mobile, and IoT technologies has broadened the risk landscape to encompass vendors and contractors.
The impact of security breaches in healthcare is also growing in scope. In addition to the financial and reputational damage experienced by the breached organization, poor cybersecurity hygiene in hospital and healthcare settings can also have a direct impact on patient care, including mortality rates.
5 Notable security breaches in healthcare (and why they matter)
Below, we’ll examine recent security breaches in the healthcare sector, assess the impact, and suggest risk mitigation and cybersecurity risk management steps organizations in this space can take to better protect their systems, data, and patients.
80 million records compromised
Although this breach is now a few years old, it’s included here because it’s still the largest healthcare breach to date. Anthem, the second largest health insurer in the U.S., began notifying 80 million individuals in late January 2015 that their personal information was compromised in a December 2014 cyber attack.
They noted that the hackers may have accessed “names, dates of birth, social security numbers, healthcare ID numbers, home addresses, email addresses, and employment information, including income data” — and did not believe medical or credit card information was released.
After the breach, Anthem set up a website where affected customers could learn about their credit monitoring services and identity theft repair.
An investigation by state insurance commissioners blamed the breach on an unnamed attacker who was likely acting on behalf of a foreign government. Federal regulators also conducted an investigation, resulting in a $16 million settlement between Anthem and HHS — the largest HIPAA settlement in history.
HHS found that Anthem had failed to implement appropriate measures for detecting hackers and was also required to conduct a risk assessment and correct any deficiencies in its cybersecurity with HHS oversight.
In June, 2019, Quest Diagnostics, one of the biggest blood testing providers in the country, sounded the alarm that nearly 12 million of its customers may have had their financial, social security, and medical information breached due to an issue with one of its vendors.
The incident is one of the most high profile third- and fourth-party data breaches to impact the healthcare sector. For eight months between August 2018 and March 2019, Quest was notified that a threat actor had unauthorized access to the systems of its billing collections vendor, American Medical Collection Agency (AMCA).
As with many “nth” party breaches, Quest Diagnostics had little visibility into the nature of the breach and at the time of the June, 2019, announcement, the company had not received “detailed or complete” information from AMCA about the breach. It took a further two weeks for AMCA to disclose the number of patients affected and what information was accessed.
It’s also emerged that Quest Diagnostics wasn’t alone in falling victim to the breach; 13 additional entities have since come forward including LabCorp, BioReference, Penobscot Community Health Center in Maine, and Austin Pathology Associates — raising the number of records exposed to approximately 25 million patients.
Following the breach, AMCA hired a third-party external forensics firm to investigate any potential security breaches in its system, in addition to other security hardening measures.
Lessons learned: The AMCA breach demonstrates that third, fourth, and nth parties represent a worrisome source of risk in healthcare. It’s critical that healthcare providers and those in their supply chains find a way to gain visibility into the security posture of their entire supply chain. They must also ensure that any vendor in that supply chain who stores, transmits, or collects patient or other critical data aligns their security controls with the healthcare organization’s risk tolerance and adheres to regulatory obligations.
3. Dominion National
2.96 million records compromised
A month after the AMCA breach was revealed by Quest Diagnostics, Virginia-based insurer, Dominion National, notified patients that their personal and medical data was potentially breached following a stunning nine-year hack on its servers that began in 2010. In addition, the PHI of individuals who are members of health plans for which Dominion National provides administration services for was also breached.
An internal alert revealed the breach, although the nature of that alert remains undisclosed. Customers were notified of the breach about 60 days after the subsequent investigation into the breach was completed — breaking from HIPAA requirements to report breaches within 60 days of discovery, reports Health IT Security.
One of the health plans administered by Dominion National as a third-party is Providence Health Plan. The company has since notified 122,000 members of its dental plan programs that their personal information may have been exposed in the incident.
Lessons learned: The Dominion National breach underscores the complex and connected nature of the healthcare sector, where organizations frequently assume the role of both first- and third-party vendors.
In addition to focusing on internal security management performance, it’s critical that healthcare entities up and down this interconnected supply chain properly manage third- and fourth-party risk. Measures include monitoring their security performance in real-time, ensuring that any third-party software used by the first-party is up-to-date, and making certain that third parties and internal security teams patch vulnerabilities quickly.
4. Oregon Department of Human Services
645 thousand records compromised
A January 2019 data breach of Oregon’s Department of Human Services (DHS) exposed the social security numbers, personal health information, and other information used in DHS programs. Triggered by a phishing email, the hacker was able to gain access to Oregon DHS employee email accounts for 19 days and hack personal client information found in email attachments.
Once identified, remote access to all email accounts was blocked, although the investigation involved scouring through two million emails to determine what data had been viewed, reported the HIPAA Journal.
Lessons learned: This attack exposes the fact that healthcare organizations are a highly lucrative and vulnerable target for hackers.
While Oregon DHS stressed that they do have stringent safeguards in place, such as security updates, up-to-date patching, security assessments, and more, technology can only do so much. Healthcare organizations must also train staff on security awareness in an engaging and impactful manner. This means moving away from a “one-and-done” approach.
Security leaders need the buy-in and collaboration of their peers across the organization to prioritize training throughout the year. Several short sessions are more impactful than one-offs, perhaps one on password hygiene, another on phishing. Keep those sessions relevant. This means highlighting the human impact of security breaches in healthcare, the motives of hackers, and why everyone plays a part in protecting systems and patient data.
5. Rush System for Health
45,000 records compromised
In March 2019, Chicago-based Rush System for Health, announced that it learned of a data breach two months earlier that exposed 45,000 patient records via a third-party claims processing vendor.
The incident took place when an employee at the vendor, MiraMed, improperly shared a file that included personal Rush patient information to an unauthorized party. A subsequent investigation found that the Rush’s internal IT systems and network were not compromised.
In a statement, the healthcare system pledged that: “Rush understands the importance of maintaining the privacy and security of patients’ information and we will maintain our diligence to prevent this in the future, including reviewing contracting processes and vendor oversight.”
Lessons learned: Once more, this incident brings third-party risk management (TPRM) firmly into question. While there are limits to controls you can place on the actions of vendor employees, there are steps healthcare organizations can take to pre-assess vendors for risk, incorporate risk management into contracts, continuously monitor vendors for security risk, and collaborate with them to protect against a breach. Learn more in our blog post, 4 Ways to Minimize the Risk of a Third-Party Data Breach.
The unique consequences of healthcare security breaches
Many of the attacks highlighted above aren’t unique to healthcare providers, but that doesn’t mean they don’t hold unique consequences. In a USA Today article, Ann Patterson, the senior vice president and program director for the Medical Identity Fraud Alliance, spoke about how these types of breaches could be far worse than credit card breaches: "You really can't change your birth date. So when that kind of [personally identifiable] information is out there, the type of fraud that is perpetrated in the healthcare sense involves your well being, your life."
Having a robust security performance management program in place internally and a vendor management policy to mitigate third-, fourth-, and nth party risk allows healthcare organizations (and other companies) to properly prepare for any cybersecurity incidents — thus mitigating risk and giving them confidence that they (and their vendors) are meeting the commonly expected standards of care.
This post was updated in September 2020 to include new BitSight and industry information.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...