Healthcare proved itself a lucrative target for hackers in 2016, and so far 2017 is, unfortunately, following suit. From organizations with exposed, unused websites to unencrypted storage drives, health organizations appear to still have much to learn about security.
This gallery highlights some of the biggest breaches across the industry – and points to some mistakes to avoid in the future.
Updated Oct. 12, 2017
Arkansas Oral Facial Surgery Center was hit by a cyberattack that shut the organization out of files, medical images and details of patient visits. An investigation found the cyberattack occurred between July 25 and 26, and while quickly detected, the virus encrypted x-ray images, files and documents of patients who visited the provider within three weeks prior to the incident.
While officials say less than 1 percent of patients were impacted by the breach, this is the second time the organization has been hit with a successful phishing attack within the last year.
Three hacking groups are once again targeting MongoDB databases, hijacking 26,000 open servers and asking for a ransom to release the data, according to security researcher Victor Gevers, chairman of the GDI Foundation.
The cyberattack was discovered on July 7, but the attack began nearly a month earlier on June 17. Officials said the hackers targeted certain electronic files on the provider’s server and workstation
While only 744 patients were included in this month’s breach, Kaleida Health already notified 2,800 of its patients in July of a separate phishing incident.
Just over 106,000 patients of are being notified by Mid-Michigan Physicians Imaging Center of a potential data breach of their personal health information. The records of both past and current patients may have been accessed after the McLaren Medical Group – which manages Mid-Michigan – discovered a breach of its Radiology Center computer system in March.
St. Mark’s Surgery Center discovered a ransomware attack on May 8, although the attack occurred from April 13 until April 17. The installed virus prevented patient data from being accessed during that time. The impacted servers contained patient names, dates of birth, Social Security numbers and medical information of this Florida provider.
Los Angeles-based Pacific Alliance Medical Center disclosed that it was hit by a ransomware attack in June. In August they determined that the breach involves the health information of 266,123 patients.
The cyberattack was first discovered in February, but crucial evidence was lost during the investigation on April that rendered it impossible for officials to rule out a breach.
Anthem BlueCross BlueShield began notifying customers last week of a breach affecting about 18,000 Medicare members. The breach stemmed from Anthem’s Medicare insurance coordination services vendor LaunchPoint Ventures, based in Indiana.
The breach on Women’s Health Care Group of Pennsylvania was discovered in May, but hackers had unauthorized access to the system as early as January.
While Peachtree Neurological Clinic avoided paying ransom after a recent cyberattack, the investigation that followed revealed a hacker had access to its system starting in February 2016.
An employee of UC Davis Health responded to a phishing email with login credentials, which officials said the hacker used to view patient data and send emails to other staff requesting large sums of money.
As many as 14 million U.S. customers of the telecommunications company were exposed after a user mistake caused a database to go public online.
A Bupa employee -- who has since been fired -- copied private information from global health insurance policies, which cover those who frequently travel or work overseas.
Indiana’s Health Coverage Program said that patient data was left open via a live hyperlink to an IHCP report until DXC Technology, which offers IT services to Indiana Medicaid, found the link on May 10. That report, DXC said, contained patient data including name, Medicaid ID number, name and address of doctors treating patients, patient number, procedure codes, dates of services and the amount Medicaid paid doctors or providers.
There were 1.1 million enrolled in Indiana's Medicaid & CHIP program in April 2017 according to KFF.org.
While the compromised computer was both locked and encrypted, the forensic investigation team couldn’t determine with certainty if there was unauthorized access to patient data during the April 21 attack.
Michigan-based Airway Oxygen was hit by a ransomware attack in April that may have compromised the data of 500,000 clients, the home medical equipment supplier reported to the U.S. Department of Health and Human Services on June 23. The hacker gained access to the network and installed ransomware, which shut employees out of the system where personal health information was stored.
Data has been dumped from two healthcare providers in a game the hacker, TheDarkOverlord, is calling: “A Business a Day.” The hacker leaked 6,000 patient records on June 8 from Feinstein & Roe MDs in Los Angeles and 6,300 patient records from La Quinta Center for Cosmetic Dentistry on June 9.
A hard drive containing the personal data of about 1 million people was stolen from Washington State University in April. The University discovered a locked safe that contained the hard drive was stolen from a WSU storage unit in Olympia. The stolen data is from survey participants and contained names, Social Security numbers and, for some, personal health data.
California-based Torrance Memorial Medical Center notified patients that two email accounts containing work-related reports were hit by a phishing attack in April. Officials didn’t reveal how many patients were affected, and the incident is not on the Office of Civil Rights’ breach reporting site.
Molina Healthcare, a major Medicaid and Affordable Care Act insurer, shut down its patient portal on May 26 in response to a security flaw that exposed patient medical claims data without requiring authentication, according to security researche Ben Krebs. At the time, it’s unclear how long the vulnerability was in place. Ben Krebs was first made aware of the security flaw in April through an anonymous tip, which could allow any Molina patient to access other patients’ medical claims by simply changing a single number in the URL.
The National Health Service in England and Scotland was hit by a large ransomware attack that has affected at least 16 of its organizations on May 12. The organization launched an investigation and determined the ransomware is likely the Wanna Decrytor. It’s one of the most effective ransomware variants on the dark web, and at the moment, there is no decryptor available. Within two days, 150 countries were affected by the #wannacry ransomware.
The third-party server that hosts the electronic health records of New Jersey Diamond Institute for Fertility and Menopause was hacked by an unauthorized individual, exposing protected health information of 14,633 patients.
The database and EHR system was encrypted, which prevented the hackers from gaining access, officials said. However, many supporting documents stored on the hacked server were left unencrypted and could have been accessed.
Pennsylvania-based Harrisburg Gastroenterology is notifying patients that their records might have been breached. The Health and Human Services Department’s Office for Civil Rights’ Wall of Shame lists the breach at 93,323 records on a network server exposed because of a hacking/IT incident.
Tens of thousands, and possibly up to millions, of patient records at Bronx-Lebanon Hospital Center in New York City were exposed in a recent data breach, according to the Kromtech Security Research Center, which uncovered the records on May 3. The records were part of a backup managed by iHealth Innovations, the research center said.
Dark Web hacker TheDarkOverlord has released 180,000 patient records from three hacks, DataBreaches.net revealed May 4. More than 3,400 patient records were released from New York City-based Aesthetic Dentistry, 34,100 from California’s OC Gastocare and 142,000 Tampa Bay Surgery Center. TDO used a Twitter account to post a link to a site that allows any user to download the patient databases from these organizations.
The patient records of about 500,000 children are up for grabs on the dark web, a hacker named Skyscraper told DataBreaches.net on April 26. These records contain both child and parent names, Social Security numbers, phone numbers and addresses. DataBreaches didn’t name the breached organizations but also said that another 200,000 records were stolen from elementary schools. The amount of breached records for pediatricians reported to the Department of Health and Human Services’ Office of Civil Rights is not equal to that number, meaning many of these providers are likely unaware their data has been exposed.
Providence-based Lifespan, Rhode Island's largest health network, has notified about 20,000 of its patients that a laptop theft may have exposed their sensitive information. The health organization said an employee's MacBook was taken after a car break-in on Feb. 25. The employee immediately contacted both law enforcement and Lifespan officials, who were able to change the employee’s credentials used to access Lifespan system resources.
The personal health data of 918,000 seniors was posted online for months, after a software developer working for HealthNow Networks uploaded a backup database to the internet, an investigation by ZDNet and DataBreaches.net found. Boca Raton, Florida-based HealthNow Networks is a telemarketing company that used to provide medical supplies to mostly seniors who rely on diabetic equipment. However, it’s no longer a registered business as of 2015, when it failed to file an annual report with Florida authorities. The software developer was contracted to build a customer database for HealthNow Networks, but the developer told researchers it was "too much work."
A ransomware attack at San Antonio-based ABCD Children’s Pediatrics may have breached the data of 55,447 patients. Affected files may have included patient names, Social Security numbers, insurance billing information, dates of birth, medical records, laboratory results, procedure technology codes, demographic data, address and telephone numbers. Investigators determined it was the Dharma virus, a variant of the Crisis ransomware family. While this virus doesn’t typically exfiltrate data, the provider was unable to rule it out, officials said.
A Washington University School of Medicine employee fell victim to a phishing attack that may have compromised 80,270 patient records. The medical school learned of the incident on Jan. 24 -- seven weeks after the phishing attack occurred on Dec. 2, officials said in a statement. The employee responded to a phishing email designed to look like a legitimate request. As a result, an unauthorized party may have gained access to employee email accounts that contained patient data.
This Milwaukee-based provider began notifying patients that a November ransomware attack may have exposed their personal data. There were 17,634 patients affected, according to the U.S. Department of Health and Human Services' Office for Civil Rights. Two of Metropolitan Urology’s servers were infected by the virus, which may have exposed data of patients between 2003 and 2010. Officials said the data contained names, patient account numbers, provider identification, medical procedure codes and data of the provided services. About 5 percent of these patients had their Social Security numbers exposed.
An unencrypted hard drive that contained seven years of backup electronic health record data was stolen from the Denton Health Group, a member of the HealthTexas Provider Network. The backup files contained a hoard of patient data from 2009 until 2016: Names, Social Security numbers, dates of birth, addresses, phone numbers, driver's license numbers, medical record numbers, insurance provider and policy details, physician names, clinic account numbers, medical history, medications, lab results and other clinical data.
In March, the Medicare-approved health plan notified 14,005 patients of a potential breach of electronic protected health information after an unauthorized access through a third-party vendor system. On Dec. 28, Brand New Day discovered that an unauthorized user had accessed the ePHI provided to one of its HIPAA business associates on Dec. 22. The access occurred through a vendor system used by a contracted provider, officials said.
In February, the Flint, Michigan, cancer center notified 22,000 patients of a breach discovered in August 2016. Hackers had access to the practice's server between February and July of 2016, local affiliate ABC12 reported. The files contained names, Social Security numbers, addresses, phone numbers, dates of birth, CPT codes and insurance information.
Verity Medical Foundation-San Jose Medical Group website, part of the Verity Health System in Redwood City, California, was hacked, exposing the data of 10,164 patients. Verity includes six California hospitals, the Verity Medical Foundation and Verity Physician Network. An unauthorized user hacked into the website from October 2015 until it was discovered by Verity Health on January 6. The website was no longer in use.
More than a year after discovering a potential breach to its websites, healthcare administrative services and IT provider, CoPilot Provider Support Services notified 220,000 patients and doctors who used its service. An unauthorized user breached one of CoPilot's databases, used by both healthcare providers and patients, in October 2015, according to officials. The hacker downloaded files that contained names, dates of birth, addresses, phone numbers, health insurers and some Social Security numbers of some users. No financial, medical treatment or other information was accessed.
The server and back-up drive of Muncie, Indiana-based Cancer Services of East Central Indiana-Little Red Door were hacked and the data stripped, encrypted and taken for ransom by the cybercriminal organization, TheDarkOverlord, or TDO, the agency revealed Jan. 18. The hack took place on Jan. 11. TDO asked for 50 bitcoin, or about $43,000, in ransom, first in a text message to the personal cellphones of the company’s executive director, president and vice president. Officials said, TDO followed up in a form letter and several emails that contained extortion threats and promises to contact family members of the cancer patients, donors and community partners.