[BreachExchange] The 10 Biggest U.S. Healthcare Data Breaches of 2018

[Destry Winant]

https://healthitsecurity.com/news/the-10-biggest-u.s.-healthcare-data-breaches-of-2018

The threat landscape has continued to evolve throughout the year, with
hackers ramping up targeted, sophisticated attack. Ransomware
continued to target the healthcare sector, while phishing attacks and
insider errors lead to some of the biggest breaches in 2018.

The good news is that awareness continues to increase within the
healthcare sector. However, resources and staffing gaps continue to be
problematic. And hackers will continue to pummel the sector with
targeted attacks through 2019 and beyond.

To learn from the security incidents of the year, we count down to the
year’s biggest data breaches in the healthcare sector.

10. HEALTHEQUITY: 190,000 INDIVIDUALS

The data of about 190,000 HealthEquity customers was breached for
about a month, after a hack on two employee email accounts. Officials
discovered the breach on October 5, when a hacker accessed the
accounts. The first account was breached on October 5 and the other
was accessed on several occasions between September 4 and October 3.

This was HealthEquity’s second breach this year. In June, a hacker
breached another employee email account, compromising the data of
16,000 customers.

9. MEDEVOLVE: 205,000 PATIENTS

The practice management software vendor left its FTP server open to
the public without the need for a login in May, which exposed the data
of 205,000 patients from two separate providers— Texas-based
dermatologist Beverly Held, MD and Pennsylvania-based Premier Urgent
Care.

First discovered by a security researcher, the FTP server was
configured to allow anonymous logins, did not require login
credentials, and failed to display a banner that could direct users to
not access patient files.

8. MED ASSOCIATES: 270,000 PATIENTS

The Albany-based healthcare billing claims vendor discovered a hacker
accessed an employee workstation on March 22, when the computer
displayed unusual activity. An investigation determined it was a hack
and that the cybercriminal may have accessed 270,000 patient records.

While the workstation did not contain financial data, Social Security
numbers were included in the breached data.

7. OKLAHOMA STATE UNIVERSITY CENTER FOR HEALTH SCIENCES: 279,865
MEDICAID PATIENTS

The Oklahoma State University Center for Health Sciences began
notifying 279,855 patients in January that their data may have been
breached, after a hacker gained access to the provider’s network. The
cybercriminal accessed patient records that contained Medicaid billing
data.

The compromised folders contained patient names, Medicaid numbers,
provider details, dates of service and treatment information. The
investigation could not rule out access.

6. AUGUSTA UNIVERSITY HEALTH: 417,000 PATIENTS

The Georgia-based provider began notifying patients in August, of two
cyberattacks that happened nearly one year ago. The health system fell
victim to two phishing attacks in September 2017, but other
cyberattacks successfully breached AU Health in July 2018, September
2016, and April 2017.

The hackers were able to solicit usernames and passwords to gain
access into internal email accounts. Once it was discovered, officials
disabled the infected accounts. The notice did not explain when the
access was first discovered, nor why the notice was released almost a
year after the initial attack.

5. LIFEBRIDGE HEALTH: 500,000 PATIENTS

The Baltimore-based health system fell victim to a malware attack,
which potentially breached the data of nearly half a million patients
for more than a year. On March 18, officials discovered a malware
infection on its server. However, the investigation determined the
hackers first gained access on Sept. 27, 2016.

The breach data contained a trove of patient details, from demographic
information to insurance data and medical histories. For some
patients, Social Security numbers were included in the breach.

4. HEALTH MANAGEMENT CONCEPTS: 502,416 MEMBERS

A ransomware attack on HMC quickly turned into a health data breach,
when hackers were inadvertently provided a file containing personal
data of members. Officials discovered the ransomware infection in
July, on the server used to share files with clients.

HMC paid the ransom to the hackers to release the files, which
decrypted the data. Officials said they accidentally sent the file
containing Social Security numbers, health insurance information and
patient names to the hackers – but did not say how or why.

3. CNO FINANCIAL GROUP: 566,217 CUSTOMERS

CNO’s largest unit, Bankers’ Life, began notifying customers of a
breach discovered on August 7. Hackers accessed several employee
credentials between May 30 and September 13. These unauthorized users
used this information to access company websites, compromising the
data of policy holders and applicants.

The breached data included names, insurance details, dates of birth,
and the last four digits of Social Security numbers. For some,
complete Social Security numbers, credit or debit information,
medications, diagnoses and or treatment details were included in the
breach.

2. UNITYPOINT HEALTH: 1.4 MILLION PATIENTS

A phishing attack on the Iowa-based health system’s business email
system breached the data of 1.4 million patients. This was
UnityPoint’s second breach this year. In April, a separate phishing
attack on staff email accounts at its Madison campus, compromised
16,000 patient records.

The email system was hit with a series of highly targeted phishing
emails that looked as if they were sent from an executive from within
the organization. An employee fell for the scam, which gave hackers
access to internal email accounts from March 14 to April 3.
Notifications began in July.

1. ACCUDOC SOLUTIONS: 2.65 MILLION ATRIUM HEALTH PATIENTS

The largest health data breach of 2018 was caused by a hack on billing
vendor AccuDoc Solutions, which compromised patient data for a week.
The North Carolina-based vendor prepares patient bills and operates
Atrium Health’s billing system. The records were retained from
payments made at some Atrium Health locations.

AccuDoc discovered some of its accounts were compromised by a
cyberattack from September 22 to 29. The investigation determined
hackers could view the data, but not extract it. Atrium Health was
notified of the breach on October 1.