Healthcare Data Breaches

The biggest healthcare data breaches of 2018 (so far)

Healthcare continued to be a lucrative target for hackers in 2017 with weaponized ransomware, misconfigured cloud storage buckets and phishing emails dominating the year. In 2018, these threats will continue and cybercriminals will likely get more creative despite better awareness among healthcare organizations at the executive level for the funding needed to protect themselves.

This collection highlights some of the biggest breaches across the industry – and points to some mistakes to avoid in the future.

The Attacks

News

3 phishing hacks breach 20,000 Catawba Valley patient records

by Jessica Davis

While investigating one phishing attack in August, medical center officials discovered a hacker had access to three accounts for more than a month.

News

CMS responds to data breach affecting 75,000 in federal ACA portal

by Susan Morse

Open enrollment, which begins November 1, will not be negatively impacted, CMS says.

News

Two phishing attacks on Minnesota DHS breach 21,000 patient records

by Jessica Davis

For more than a month, two separate employee accounts were compromised by the cyberattacks before the IT department discovered the hack.

News

Update: Misconfigured database breaches MedCall Advisors

by Jessica Davis

A researcher discovered the North Carolina-based tech vendor is leaking protected patient data through its Amazon S3 bucket twice in a month.

News

3 Massachusetts hospitals fined nearly $1 million by OCR for HIPAA violations

by Jessica Davis

Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital let ABC film a documentary on site without obtaining patient authorization.

News

Employee error exposed Blue Cross patient data for 3 months

by Jessica Davis

An employee uploaded a file containing member information to a public-facing website in April, but officials did not discover the error until July.

News

Ransomware attack breaches 40,800 patient records in Hawaii

by Jessica Davis

The Fetal Diagnostic Institute of the Pacific was able to restore data from backups, and with help from a cybersecurity firm wipe the virus from the infected server.

News

Phishing attack breaches 38,000 patient records at Legacy Health

by Jessica Davis

The hackers went undetected for several weeks at the Portland, Oregon-based health system.

News

417,000 Augusta University Health patient records breached nearly one year ago

by Jessica Davis

The Georgia provider was hit by two cyberattacks in September 2017, but did not explain when the breach was discovered.

News

Canadian pharmacist fined for routinely accessing health records of acquaintances

by Lynne Minion

She snooped in the EHRs of nearly four dozen people over two years.

News

1.4M records breached in UnityPoint Health phishing attack

by Jessica Davis

This is the second breach for the health system this year, and the biggest health data breach of 2018 in the U.S.

News

Third-party vendor error exposes data of 19K patients for 2 months

by Jessica Davis

Orlando Orthopaedic’s transcriptionist vendor misconfigured access to a database during a software upgrade. The health center waited nearly six months to report.

News

Ransomware, malware attack breaches 45,000 patient records

by Jessica Davis

An investigation into a ransomware attack found hackers peppered Missouri-based Blue Springs Family Care with a variety of malware programs, which gave them full access to its systems.

News

LabCorp's network breach puts millions of records at risk

by Jessica Davis

Hackers breached one of the largest clinical laboratories over the weekend, forcing a shutdown of the network to contain the cyberattack.

News

Hackers breach 1.5M Singapore patient records, including the prime minister's

by Jessica Davis

In what officials say was a "deliberate," highly targeted attack, cybercriminals repeatedly targeted Singapore Prime Minister Lee Hsien Loong’s personal records.

News

Patient data exposed for months after phishing attack on Sunspire

by Jessica Davis

Employees fell victim to a targeted phishing campaign, which may have exposed sensitive data for some patients, including Social Security numbers and health insurance information.

News

Phishing attacks breach Alive Hospice for 1 to 4 months

by Jessica Davis

Two employee email accounts were breached by phishing attacks, which potentially gave hackers access to a trove of highly sensitive data that varied by patient.

News

Ransomware attack on Cass Regional shuts down EHR

by Jessica Davis

Emergency and stroke patients are still being diverted to ensure patients receive the best possible care, but the Missouri health system remains fully operational thanks to its prepared incident response plan.

News

Phishing attack on Manitowoc County breaches PHI

by Jessica Davis

Hackers hijacked an employee email account and diverted emails sent to the account to another account for which the county did not have access.

News

270,000 patient records breached in Med Associates hack

by Jessica Davis

The healthcare billing claims vendor discovered a hacker accessed an employee workstation on March 22.

News

Here's the right way to handle a breach

by Jessica Davis

While only about 6,500 patients were impacted by a cyberattack on Associates in Psychiatry and Psychology in March, the provider's transparency in its breach notification is a valuable example for other organizations.

News

42,000 patients impacted by 2016 breach of Michigan provider

by Jessica Davis

A hacker told Holland Eye Surgery and Laser Center in March that they had accessed a patient list, but an investigation revealed that another access occurred back in 2016.

News

Phishing hack on Ohio provider breaches data of 42,000 patients

by Jessica Davis

A hacker hit some email accounts of Aultman Health Foundation with a phishing attack in February, but officials didn’t discover the breach until March 28.

News

Data of 500k patients compromised in LifeBridge Health breach

by Beth Jones Sanborn

Discovered on March 18, the health system was infected with malware that infected its EMR server, patient registration and billing systems for more than a year.

News

DoD IG finds massive security flaws in Army, Navy EHR

by Jessica Davis

Inspector general says Defense Health Agency sites failed to consistently implement technical, physical and administrative protocols and may have violated HIPAA regulations in the process.

News

205,000 patient records exposed on misconfigured FTP server

by Jessica Davis

MedEvolve, a practice management software vendor, left its FTP server open to the public without the need for a login.

News

OCR investigating Banner Health for breach of 3.7 million records

by Jessica Davis

The Arizona health system is cooperating with the investigation but expects to receive negative findings and a potential fine.

News

Ransomware breaches data of 85,000 patients

by Jessica Davis

Hackers hit the IT vendor of three Center for Orthopaedic Specialists locations in February, which locked out users and encrypted patient data.

News

UnityPoint Health System hit with cyberattack affecting 16,000 patients

by Beth Jones Sanborn

Hospital is advising patients to monitor their explanation of benefits statements to keep an eye suspicious-looking activity.

News

California medical device manufacturer reports breach of 30,000 consumers

by Jessica Davis

Inogen reports a hacker accessed an employee email account for more than two months, according to an SEC filing.

News

63,500 records breached by misconfigured database

by Jessica Davis

Middletown Medical left a radiology interface open to the public, exposing patient data in the process.

News

New Jersey fines Virtua Medical $418,000 for HIPAA breach

by Jessica Davis

The penalty highlights the need for healthcare providers to thoroughly vet third-party vendors to ensure security best practices.

News

CareFirst breached again, notifying 6,800 members of phishing attack

by Jessica Davis

The Maryland insurer is already involved in a lawsuit stemming from a 2014 breach of about 1.1 million members.

News

Long Island provider exposes data of 42,000 patients in misconfigured database

by Jessica Davis

Cohen, Bergman, Klepper, Romano MDs left a database open to the public, containing backup data of 3 million clinical notes.

News

Email hack on ATI Physical Therapy breaches data of 35,000 patients

by Jessica Davis

Several employee emails were breached exposing a range of patient data from Medicaid details to Social Security numbers.

News

Primary Health Care announces email breach one year after discovery

by Jessica Davis

Hackers broke into four employee email accounts of the Iowa provider, allowing access to a wide range of sensitive data.

News

Medical data of 33,000 BJC HealthCare patients exposed online for 8 months

by Jessica Davis

An internal scan by the St. Louis-based health system found a misconfigured server could be easily accessed without authentication.

News

134,512 patient records breached in malware attack

by Jessica Davis

St. Peter’s Surgery and Endoscopy Center was hit with the second-largest healthcare breach of 2018.

News

VA OIG finds cybersecurity flaws at Orlando VA Medical Center

by Jessica Davis

The Florida VA provider set-up its Wi-Fi network without coordinating with the VA’s IT office.

News

Malware attack on UVA Health gave hacker access for 19 months

by Jessica Davis

The Charlottesville-based provider discovered the breach in December 2017 and has been working with the FBI on its investigation.

News

5 breaches cost $3.5 million for national provider in HHS settlement

by Jessica Davis

The first enforcement settlement of the year follows an OCR investigation of Fresenius Medical that began in 2013.

News

Allscripts hit by ransomware, knocking some services offline

by Jessica Davis

Users took to Twitter to complain about the cloud EHR being down, with some unable to access patient information all day.

News

53,000 patient records breached after pharmacy phishing hack

by Jessica Davis

Three employee email accounts were hacked in November, exposing PHI, including financial data for some.

News

Nearly 280,000 Medicaid patient records breached in Oklahoma hack

by Jessica Davis

A hacker gained access to an Oklahoma State Health Sciences network and accessed folders containing Medicaid billing data.

News

Ransomware attack on Hancock Health drives providers to pen and paper

by Jessica Davis

The first reported hospital ransomware attack in 2018 was sophisticated – and not caused by an employee opening a malicious email.

News

Data of 43,000 patients breached after theft of unencrypted laptop

by Jessica Davis

A laptop of a Coplin Health Systems employee was stolen from a car and serves as a reminder to encrypt all data.

News

Hackers expose data of 30,000 Florida Medicaid patients

by Jessica Davis

An employee of Florida’s healthcare agency fell for a phishing email, which allowed hackers to access Medicaid enrollee data.