Healthcare data breaches are increasingly prevalent, particularly at hospitals, in physician offices, and with healthcare plans. In 2018, the healthcare industry faced more security breaches than any other industry. In the US, there were 365 instances of healthcare breaches, up from 358 in 2017. So far in 2019, breaches have been reported at a rate of more than one per day, showing that organizations still have not invested enough in upgrading their security.
Poor security measures come at a high cost. When a health firm suffers a data breach, they lose, on average, 7% of patients. Compromised personal health records cost up to $7 billion annually. It is important to stay abreast of these trends. you can protect your own data before suffering expensive consequences, and also understand how other companies have survived unexpected attacks.
Here is a reflection on the biggest healthcare data breaches over the past year and the outlook for the rest of 2019.
Looking Back: Largest Healthcare Breaches of 2018
HealthEquity offers savings accounts to 3.4 million people. In November 2018, the company reported that it suffered two employee email account hacks that affected 190,000 patients. One unauthorized log-in occurred on October 5 and other attempts happened between September 4 and October 3. HealthEquity extended one of the most generous compensation packages to victims: five years of credit monitoring, $1,000,000 in insurance reimbursement, and identity theft recovery services.
Employee Retirement System of Texas
An Employee Retirement System (ERS) Online Portal flaw exposed the healthcare records of over 1.2 million individuals, allowing their information to be viewed by other healthcare members. The ERS became aware of the breach in August 2018 and reported it to the US Department of Health and Human Services in October.
AccuDoc Solutions, Inc.
In September 2018, a hacker accessed sensitive databases belonging to AccuDocs, a US healthcare billings vendor, containing patient and guarantor data, including names, addresses, dates of birth, insurance policies, medical records, account balances, and social security numbers. This affected the privacy of 2.65 Atrium Health customers at hospitals throughout North Carolina, South Carolina, and Georgia.
Unauthorized users accessed a workstation in March 2018 at Med Associates, a health billing company located in Latham, New York, and exposed the personal health information (PHI) of 270,000 people. In response to the breach, Med Associates reached out to affected individuals offering free credit monitoring.
UnityPoint Health, a hospital, clinic, and home care service network in Iowa, Illinois, and Wisconsin, was hit by a phishing attack on May 31, 2018. Emails appeared to come from an executive within UnityPoint Health and a hacker thereby obtained access to internal email accounts. This attack in March and April 2018 put the information of 1.4 million customers at risk and was the second security breach of the year for the organization. According to officials at UnityPoint Health, the attack was most likely financially motivated - aimed at diverting payroll or vendor payments.
A malware attack on the EHR server of Potomac Physicians resulted in the identity exposure of 530,000 patients. A class-action lawsuit was filed against Lifebridge 2018 for failing to protect confidential information. Detailed investigations on the incident trace the initial breach back to September 2016 where hackers had access to systems and patient records for over 18 months through a malware attack.
University of Washington Medicine
Sometimes data breaches occur not because of malicious third parties but because of website or database configuration errors. The files of 974,000 patients were exposed for most of December 2018 because of a mistake in the database setup. UW Madison collaborated with Google to delete the saved patient information from its servers.
Assessing the Current State: Largest Breaches of 2019
The security outlook in healthcare for 2019 does not seem to be improving, as there have been several major attacks in the first quarter of the year. Here are some of the most impactful cases:
An error during a routine server migration caused Zoll, a medical device vendor, to compromise the personal and medical data of 277,000 patients. This resulted from working with an insecure third-party service provider hosting private email records. Zoll discovered this breach in January 2019.
Oregon Department of Health Services
A phishing attack in January 2019 targeted nine employees of the Oregon Department of Health Services. By clicking on an email link, these employees revealed 2 million email addresses and client data pertaining to 350,000 accounts.
In March 2019, Navicent Health, the second biggest hospital in Georgia, notified patients that in July 2018, a cyberattack on their employee email system revealed the personal information of 278,000 patients. The personal information exposed included names, birthdates, addresses, and medical information. In response to the breach, Navicent Health released a statement saying that they were reassessing technical controls and educating staff about cybersecurity.
Looking Forward: How Health Firms Can Improve Security
In 2019, healthcare organizations will need to update their knowledge of HIPAA compliance and increase investment in cybersecurity. Negligent breaches are twice as common as ones of malicious intent. Hackers are using more advanced technologies to break into systems, so organizations need to prepare for cyber attacks with training on phishing emails, more sophisticated passwords, multi-factor authentication, and other security measures.
When organizations have been hacked, it is critical that they respond in a timely manner, honestly confronting flaws in the system, bringing in professional cybersecurity experts to identify technology system vulnerabilities, and providing continuous education and training on cybersecurity for customers and employees.
Strong cybersecurity will require ongoing investment of time and financial resources, but it is well worth the cost. Heightened security and fast response to cyber attacks can prevent expensive lawsuits, preserve a company’s reputation, retain valuable customers, and keep patients safe.