The healthcare sector has been the target of hundreds of cyberattacks this year. A tally of public data breach reports so far shows that tens of millions of healthcare records have been exposed to unauthorized parties.
Most of the largest data breaches result from ransomware attacks and the first ten of them account for more than half of all the healthcare records exposed in 2021.
PII of millions stolen or exposed
The breach notification rule under the Health Insurance Portability and Accountability Act (HIPAA), requires healthcare organizations to disclose a breach if it affects more than 500 residents of a state or jurisdiction.
The top ten cyber events with the widest impact listed on the portal of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights are from hacking incidents and account for exposing data of almost 19 million people.
At the top of the list reported this year is an incident that impacted Florida Healthy Kids Corporation. Hackers exploiting vulnerabilities left unpatched for seven years in its website hosting platform had access to data of 3.5 million individuals.
The second-largest data breach in the healthcare sector impacted the 20/20 Eye Care Network in Florida, which resulted in exposing the personal data of over 3.2 million individuals.
Hackers gained access to the company’s AWS S3 buckets and deleted the information. A class-action suit was filed against 20/20 Eye Care Network.
Another notable data breach comes from dermatology group practice Forefront Dermatology, which found that an unauthorized party had access to its systems for a week.
The intrusion exposed information of more than 2.41 million patients, including names, addresses, dates of birth, health insurance plan member IDs, and medical and clinical treatment details.
Ransomware gangs attack
On February 19, 2021, NEC Networks (CaptureRx) discovered that its systems had been compromised two weeks earlier and the intruders had access to customer records.
The investigation later determined that it was a ransomware attack that impacted data belonging to 1.65 million people.
Data of over 1.5 million individuals was compromised in an attack on August 4 against Eskenazi Health public hospital division.
The hackers had been on the internal network since May 19, preparing to encrypt the network, although they failed to complete the operation, the company said.
While the threat actor did not encrypt any data, they managed to steal from the organization personal and health information belonging to patients.
The Kroger Co. confirmed a data breach that exposed records of 1.47 million people. The incident was part of an extortion campaign from the Clop ransomware gang.
Access to corporate data was possible by exploiting vulnerabilities in Accellion’s legacy File Transfer Appliance service used by up to 100 companies.
The Kroger supermarket chain, also a pharmacy operator, agreed to pay $5 million to end claims against it on behalf of customers and employees who had their personal information exposed.
Also a victim of a ransomware attack, the St. Joseph’s/Candler health system announced that it detected the intrusion on June 17, 2021. An investigation revealed that the hackers had access to the network since December 18, 2020.
While on the network the attackers had access to data of 1.4 million patients, including addresses, dates of birth, Social Security numbers, driver’s license number, financial information, health insurance plan member ID, and medical and clinical treatment information.
The REvil ransomware gang breached the systems of the University Medical Center Southern Nevada in mid-June that stored data of 1.3 million people.
The data included personally identifiable information (PII) as well as “certain protected health information,” reveals the data security incident notification from the organization.
American Anesthesiology notified patients in early January 2021 that Mednax Services, one of its service providers, had suffered a phishing incident that resulted in personal information being exposed to an unauthorized party
The attacker had gained access to the partner’s Microsoft Office 365 email system in mid-June 2020 and could access personal information belonging to American Anesthesiology patients. In total, data of 1.2 million people were exposed.
Last on the list of the largest ten data breaches reported so far in 2021 is Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp., (“Practicefirst”) – a vendor for multiple healthcare providers.
The incident was a failed ransomware attack and it became known in late December 2020. The hackers did not encrypt any data but they copied files from Practicefirst’s network, exposing the personal information of more than 1.2 million patients and employees.
More than 50 hacking incidents disclosed on the HHS portal have affected upwards of 100,000 individuals, showing that organizations in the healthcare sector continue to be attractive targets.
According to HIPAA Journal, close to 45 million healthcare records have been exposed or stolen in breaches reported in 2021.