Cybersecurity

Security Breaches In Healthcare: How These 7 Recent Cases Happened

Jake Olcott | August 16, 2016

There have been a number of large healthcare breaches in recent years. In fact, the Washington Post called 2015 the “year of the health-care attack.” This chart, accessed from Modern Healthcare, represents 11 of the largest healthcare breaches as of February 2015:

Security Breaches In Healthcare: How 4 Of The Largest Cases Happened

Below, we’ll dissect how 7 large security breaches in the healthcare sector occurred—and why that’s important.

1. Anthem

80 Million Records Compromised

The largest healthcare breach to date affected Anthem, the second largest health insurer in the U.S. In late January 2015, the medical insurance provider began notifying 80 million individuals that their personal information was compromised in a December 2014 cyber attack.

They noted that the hackers may have accessed “names, dates of birth, social security numbers, healthcare ID numbers, home addresses, email addresses, and employment information, including income data” and did not believe medical or credit card information was released. After the breach, Anthem set up a website where affected customers could learn about their credit monitoring services and identity theft repair.

Anthem has been notoriously secretive about their cybersecurity, leading some to suggest that the company’s lack of transparency was an attempt to avoid further embarrassment. Several months after their breach was brought to light, they refused a request for an audit, noting that performing an audit would require them to disable their anti-virus software, which could cause outages within their IT system. This was especially troubling as Anthem insured many government employees and thus had a business relationship established.

2. Premera 

11 Million Records Compromised security

In March of 2015, Premera—a large medical insurance company—revealed that a hacker had accessed their network, compromising the data of 11 million individuals. The company didn’t expound on how the hacker accessed the information, but it did disclose that they might have accessed “social security numbers, birthdays, emails, physical addresses, bank account information, clinical information and detailed insurance claims” to both past and present customers, dating back to 2002. A Premera web page set up to release information about the breach stated that the company learned of the breach in January of 2015, but that the original breach had actually taken place nine months earlier, in May of 2014. (Note: Premera isn’t represented in the visual above, as the incident wasn’t discovered until after this bubble chart was created.)

3. TRICARE (Via Science Applications International Corporation)

4.9 Million Records Compromised

This 2011 breach was unique for many reasons. According to Reuters, an employee for one of TRICARE’s vendors— Science Application International Corporation (now Leidos Holdings Inc.)—was transporting backup tapes that included electronic healthcare data for TRICARE’s patients when the employee’s vehicle was broken into and robbed. Those tapes were among the items that the robber stole, but investigators didn’t believe the thief was after the tapes—or even knew what they were. In 2014, federal judges closed out all but two lawsuits that formed after the breach, citing that “the mere loss of data—without evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing.”

4. Community Health Systems

4.5 Million Records Compromised

In August 2014, Community Health Systems—which owns and operates over 200 hospitals across the U.S.—reported a massive cyberattack that compromised the records of over 4.5 million patients. According to InformationWeek, the information, which included “patient names, addresses, birthdates, telephone numbers, and social security numbers,” was gathered as a result of an exploited SSL vulnerability, Heartbleed. Interestingly, cybersecurity analysts have speculated that this breach and the Anthem breach were linked.

5. Banner Health

3.7 Million Records Compromised

A data breach affecting up to 3.7 million individuals at Banner Health was disclosed in early August 2016. The data compromised included patient and physician names, addresses, social security numbers, clinical information, and health insurance information. It is believed that payment data used at vending machines and other food and beverage outlets was compromised as well. It is still unclear how attackers gained unauthorized access to Banner Health's servers and computer systems.

6. Mass General Hospital

4,300 Records Compromised

In late May 2016, Mass General Hospital (MGH) announced that 4,300 dental patient records were stolen. According to MGH, these records were not stored on their systems, but instead stolen from the network of a third-party vendor—Patterson Dental Supply Inc. (PDSI)—that assists the hospital in managing dental patients at several practices. The records stolen from PDSI included names, dates of birth, social security numbers, dental provider information, medical record numbers, and dental appointment information of MGH patients.

7. Prosthetic & Orthotic Care Inc.

Unknown Number Of Records Compromised

Prosthetic & Orthotic Care Inc. (P&O Care) recently announced a data breach that resulted in the exposure of critical patient information. The records exposed included personally identifiable information (PII) and personal health information (PHI), such as names, contact information, patient identification numbers, diagnostic codes, appointment dates, billing amounts, social security numbers, birth dates, insurance providers, and photos of procedures. It has been reported that records were dumped in plain text on Pastebin.

The P&O Care breach occurred after a hacker exploited a zero-day flaw—or an issue unknown to the vendor—within software the company had recently purchased.

Make your vendor risk management process extremely efficient by using these tools and techniques.

Steps Healthcare Organizations Should Take To Mitigate Cyber Risk

Healthcare organizations typically outsource a great deal of their technology. But with cyber risks constantly evolving, the vendor selection process has become extremely important. With confidential patient records at risk, healthcare companies cannot simply outsource services or make purchases based on the lowest bidder—cybersecurity also needs to be an important deciding factor.

There are a few steps you can take to mitigate the cyber risk your healthcare organization faces from third parties:

  1. Know the security performance of the vendors you work with already. Many healthcare providers tend to rely on software provided by third parties and, as a result, are often playing catch-up when vulnerabilities emerge in software they have already purchased and implemented. This can leave your healthcare organization in a bad place when it comes to potential security breaches.
  1. Make sure you’ve done your due diligence during the selection stage of your products or services. Knowing how well your prospective vendors handle security is imperative for the selection process. These vendor security assessments can help organizations evaluate potential partners and identify third party risk before they become problematic.

See Also: How CISOs Should Establish A Vendor Management Process

  1. Once you've chosen a vendor to work with:
    • Monitor their security performance in real time to be alerted of any security incidents that may affect your organization.
    • Ensure that any third-party software you're running is up-to-date, and stay on top of all emerging vulnerabilities.
    • Make sure your third parties and your internal security teams patch vulnerabilities quickly to reduce the chance of infection and data loss. No matter what safeguards you put in place, vulnerabilities will affect your network or the services you’re running—it’s inevitable.

What To Keep In Mind

There’s nothing fundamentally different about how breaches happen in the healthcare sector. A cybersecurity incident takes place for one of three reasons:

  1. Because of someone on the outside—like a phishing scam where someone is sent an embedded piece of malicious code in an email.
  2. Through a trusted insider—who chooses to exploit their privilege of data or intellectual property.
  3. Through an attack to your supply chain—when someone can manipulate the hardware or software your company uses to gain access to an infrastructure or network.

But just because these attacks aren’t unique to healthcare providers doesn’t mean they don’t hold unique consequences. In a recent USA Today article, Ann Patterson, the senior vice president and program director for the Medical Identity Fraud Alliance, spoke about how these types of breaches could be far worse than credit card breaches: "You really can't change your birth date. So when that kind of [personally identifiable] information is out there, the type of fraud that is perpetrated in the healthcare sense involves your well being, your life."

Creating a vendor management policy allows healthcare organizations (and other companies) to properly prepare for any cybersecurity incidents, thus mitigating risk and giving them confidence that they (and their vendors) are meeting the commonly expected standards of care.

security-managers-guide-to-VRM

Suggested Posts

BitSight Study: Just How Secure is the Business Services Sector?

Management consultants, accountants, public safety offices, marketing firms, and many more business and professional services organizations are high-value targets for cybercriminals due to the range of confidential client information they...

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

Social Engineering: How Attackers Exploit People's Vulnerabilities

A new report from the Information Security Forum (ISF) contains some fascinating insights into how hackers probe and exploit people's psychological vulnerabilities to gain access to corporate systems. From phishing to "whaling" (targeting...

READ MORE »

Subscribe to get security news and updates in your inbox.