Healthcare Data Breaches

The biggest healthcare data breaches of 2018 (so far)

Healthcare continued to be a lucrative target for hackers in 2017 with weaponized ransomware, misconfigured cloud storage buckets and phishing emails dominating the year. In 2018, these threats will continue and cybercriminals will likely get more creative despite better awareness among healthcare organizations at the executive level for the funding needed to protect themselves.

This collection highlights some of the biggest breaches across the industry – and points to some mistakes to avoid in the future.

The Attacks

News

DoD IG finds massive security flaws in Army, Navy EHR

by Jessica Davis

Inspector general says Defense Health Agency sites failed to consistently implement technical, physical and administrative protocols and may have violated HIPAA regulations in the process.

News

Data of 500k patients compromised in LifeBridge Health breach

by Beth Jones Sanborn

LifeBridge said they discovered the breach on March 18, which involved malware that infected the server that hosts their EMR, patient registration and billing systems.

News

205,000 patient records exposed on misconfigured FTP server

by Jessica Davis

MedEvolve, a practice management software vendor, left its FTP server open to the public without the need for a login.

News

OCR investigating Banner Health for breach of 3.7 million records

by Jessica Davis

The Arizona health system is cooperating with the investigation but expects to receive negative findings and a potential fine.

News

Ransomware breaches data of 85,000 patients

by Jessica Davis

Hackers hit the IT vendor of three Center for Orthopaedic Specialists locations in February, which locked out users and encrypted patient data.

News

UnityPoint Health System hit with cyberattack affecting 16,000 patients

by Beth Jones Sanborn

Hospital is advising patients to monitor their explanation of benefits statements to keep an eye suspicious-looking activity.

News

California medical device manufacturer reports breach of 30,000 consumers

by Jessica Davis

Inogen reports a hacker accessed an employee email account for more than two months, according to an SEC filing.

News

63,500 records breached by misconfigured database

by Jessica Davis

Middletown Medical left a radiology interface open to the public, exposing patient data in the process.

News

New Jersey fines Virtua Medical $418,000 for HIPAA breach

by Jessica Davis

The penalty highlights the need for healthcare providers to thoroughly vet third-party vendors to ensure security best practices.

News

CareFirst breached again, notifying 6,800 members of phishing attack

by Jessica Davis

The Maryland insurer is already involved in a lawsuit stemming from a 2014 breach of about 1.1 million members.

News

Long Island provider exposes data of 42,000 patients in misconfigured database

by Jessica Davis

Cohen, Bergman, Klepper, Romano MDs left a database open to the public, containing backup data of 3 million clinical notes.

News

Email hack on ATI Physical Therapy breaches data of 35,000 patients

by Jessica Davis

Several employee emails were breached exposing a range of patient data from Medicaid details to Social Security numbers.

News

Primary Health Care announces email breach one year after discovery

by Jessica Davis

Hackers broke into four employee email accounts of the Iowa provider, allowing access to a wide range of sensitive data.

News

Medical data of 33,000 BJC HealthCare patients exposed online for 8 months

by Jessica Davis

An internal scan by the St. Louis-based health system found a misconfigured server could be easily accessed without authentication.

News

134,512 patient records breached in malware attack

by Jessica Davis

St. Peter’s Surgery and Endoscopy Center was hit with the second-largest healthcare breach of 2018.

News

VA OIG finds cybersecurity flaws at Orlando VA Medical Center

by Jessica Davis

The Florida VA provider set-up its Wi-Fi network without coordinating with the VA’s IT office.

News

Malware attack on UVA Health gave hacker access for 19 months

by Jessica Davis

The Charlottesville-based provider discovered the breach in December 2017 and has been working with the FBI on its investigation.

News

5 breaches cost $3.5 million for national provider in HHS settlement

by Jessica Davis

The first enforcement settlement of the year follows an OCR investigation of Fresenius Medical that began in 2013.

News

53,000 patient records breached after pharmacy phishing hack

by Jessica Davis

Three employee email accounts were hacked in November, exposing PHI, including financial data for some.

News

Allscripts hit by ransomware, knocking some services offline

by Jessica Davis

Users took to Twitter to complain about the cloud EHR being down, with some unable to access patient information all day.

News

Nearly 280,000 Medicaid patient records breached in Oklahoma hack

by Jessica Davis

A hacker gained access to an Oklahoma State Health Sciences network and accessed folders containing Medicaid billing data.

News

Ransomware attack on Hancock Health drives providers to pen and paper

by Jessica Davis

The first reported hospital ransomware attack in 2018 was sophisticated – and not caused by an employee opening a malicious email.

News

Data of 43,000 patients breached after theft of unencrypted laptop

by Jessica Davis

A laptop of a Coplin Health Systems employee was stolen from a car and serves as a reminder to encrypt all data.

News

Hackers expose data of 30,000 Florida Medicaid patients

by Jessica Davis

An employee of Florida’s healthcare agency fell for a phishing email, which allowed hackers to access Medicaid enrollee data.