10.1 million dollars.
That’s the average cost of a healthcare breach in the U.S. It’s an alarming number that’s only continued to climb, increasing by over 41% in the past two years, according to IBM’s 2022 Cost of a Data Breach Report. In fact, the healthcare industry has had the highest average cost of a breach for 12 years running.
It’s not just the costs that are climbing, either.
According to HIPAA Journal, “347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights” in the first half of 2022 alone. And Tetra Defense reported that healthcare accounted for nearly 20% of their incident responses in the first quarter of 2022.
Healthcare providers store tremendous amounts of protected health information (PHI), don’t always have the resources for cutting-edge defenses, and need 24×7 uninterrupted access to their systems to properly care for patients. Threat actors know all of this, which is why healthcare is such a prime target for cybercriminals.
As the number and cost of healthcare data breaches continues to rise, it’s important to get a clear picture of just how much damage can be done. Here, then, is a look back at 12 of the biggest data breaches to date.
Biggest Healthcare Industry Cyber Attacks
12. Shields Health Care Group
In May of 2022, this Massachusetts-based medical imaging service provider reported that a cybercriminal had gained unauthorised access to some of its IT systems back in March.
All told, over 2 million patients had their PHI stolen, including names, addresses, Social Security numbers, insurance information, and medical history information. While we don’t know the full cost of this breach, the damage done is clear. Because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, the scope of the attack was massive. Not surprisingly, a class action lawsuit soon followed.
Cyber attack type: Not disclosed
Location: Massachusetts
People affected: 2 million
Shields Health Care Group sent letters to all affected patients in July, but so far maintains that there is no evidence of identity fraud or theft
11. Advocate Aurora Health
With 26 hospitals across Wisconsin and Illinois, Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of the data of 3 million patients in July of 2022.
Meta Pixel uses JavaScript to track visitors on websites, supplying vital information on how they interact, how long they stay on the site, and where they drop off. Pixels are a useful tool that helps web designers and organisations make their sites more user-friendly.
However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals — where patients enter sensitive information caused PHI to be disclosed, especially if users were logged into Facebook or Google at the same time.
Cyber attack type: Third-party vendor
Location: Wisconsin, Illinois
People affected: 3 million
While Advocate Aurora Health and its patients are the victims this time, they won’t be the last. Meta Pixel is used by many healthcare providers across the country, a fact patients might only learn about when they begin to receive targeted ads about their specific medical condition. This outrageous situation helps explain why class action lawsuits against Meta and healthcare providers are springing up nationwide.
10. Trinity Health
Trinity Health experienced the largest impact among healthcare providers due to the 2020 ransomware attack on Blackbaud, a vendor of cloud-based customer relationship management software.
The attack on one of Blackbaud’s self-hosted cloud servers affected hundreds of customer organsations around the world, including more than two dozen healthcare organisations, and led to the compromise of more than 10 million records.
Blackbaud stopped the cybercriminals before they fully encrypted files in the hacked databases, but not before they exfiltrated sensitive data. The company paid an undisclosed sum to the hackers to destroy the stolen data.
Cyber attack type: Ransomware
Location: Michigan
People affected: 3.32 million
Trinity Health’s donor database was among the files the attackers managed to steal. It included electronic protected health information (ePHI) such as dates of birth, physical and email addresses, Social Security numbers, treatment information, and financial payment data.
Blackbaud said it fixed the vulnerability that attackers exploited. HHS, which enforces the Healthcare Insurance Portability and Accountability Act (HIPAA), and other agencies are investigating the incident.
9. Banner Health
In 2016, hackers used malware to breach the payment processing system of Banner Health’s food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data.
The cyber attack went undiscovered for nearly a month. Stolen data included highly sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.
Cyber attack type: Malware
Location: Arizona
Cost: $6 million
People affected: 3.6 million
Following the data breach, Banner Health made upgrades to comply with payment card industry data security standards (PCI DSS), ramped up its security monitoring for cyberthreats and risks, and implemented tighter cybersecurity practices overall. Other changes involved areas of program governance, identity and access management, and network and infrastructure security.
8. Medical Informatics Engineering
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app.
Cyberthieves had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.
Cyber attack type: Brute force attack/SQL injection/Malware
Location: Indiana
Cost: $1 million
People affected: 3.9 million
To address the situation, MIE notified the FBI and hired a team of third-party experts to remediate the attack vectors the cybercriminals used successfully. Since then, the organisation has also made significant investments in additional safeguards and security measures, including security personnel, policies, procedures, controls, and monitoring and prevention tools.
MIE also retained third-party vendors and applications to help protect health information and audit and certify its information security program.
7. Advocate Medical Group
Between July and November 2013, Advocate Medical Group (AMG), a physicians’ group with more than 1,000 doctors, reported three separate data breaches. In the first breach, thieves stole four desktop computers from an administrative office in Park Ridge, Illinois. The computers contained the records of nearly 4 million patients.
The second breach involved an unauthorised third party, who gained access to the network of the billing services provider of AMG and potentially compromised the health records of more than 2,000 patients. Finally, an unencrypted laptop containing patient records of more than 2,230 people was stolen from an AMG staffer’s car.
Patient names, addresses, dates of birth, credit card numbers, demographic information, clinical information, and health insurance data were compromised.
Cyber attack type: Physical theft
Location: Illinois
Cost: $5.55 million
People affected: 4 million
After the breach, Advocate reinforced its security protocols and encryption program with its associates. It also added 24×7 security personnel at the facility where the computers were stolen and accelerated deployment of enhanced technical safeguards.
6. Community Health Systems
In 2014, Community Health Systems, which then operated 206 hospitals in 29 states, suffered a network data breach that exposed the personal information of 4.5 million individuals. The organisation’s 8-K filing to the U.S. Securities and Exchange Commission (SEC) stated that an “advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company’s systems.”
Compromised data included names, addresses, birth dates, telephone numbers, and Social Security numbers.
Cyber attack type: Malware
Location: Tennessee
Cost: $3.1 million
People affected: 4.5 million
Community Health Systems engaged an outside forensics expert to conduct a thorough investigation and remediation of this incident. The company then implemented several efforts designed to protect against future intrusions. This included additional auditing and surveillance technology to detect unauthorised access, advanced encryption technologies, and having users change their access passwords.
5. University of California, Los Angeles Health
In 2014, officials from UCLA Health discovered suspicious activity on its network. At the time, they determined that hackers had not gained access to systems containing personal and medical data.
However, in 2015, officials confirmed the cyber attack had indeed compromised systems with patient information — including names, Social Security numbers, dates of birth, health plan identification numbers, and medical data.
Cyber attack type: Malware
Location: California
Cost: $7.5 million
People affected: 4.5 million
As the result of a class-action lawsuit, UCLA Health agreed to update its cybersecurity practices and policies. The organisation also began working with the FBI and hired computer forensic experts to secure its network — implementing measures such as assessing emerging threats and potential vulnerabilities.
4. Excellus Health Plan, Inc.
Excellus reported in 2015 that the data of 10 million clients might have been exposed in a cyber attack dating all the way back to 2013.
Excellus hired a cybersecurity firm to conduct a forensic review of its computer systems. The third-party firm found that the names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data of Excellus clients were compromised.
Cyber attack type: Malware
Location: New York
Cost: $17.3 million
People affected: 10 million
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot. The company said it moved quickly to close the vulnerability, and to strengthen and enhance the security of its systems moving forward.
3. Premera Blue Cross
In 2014, hackers sent a phishing email to a Premera employee. The email included a link to download a document containing malware. Once the employee clicked on the link and downloaded the document, the hackers were able to access Premera’s server.
Premera did not detect the breach for eight months. The company hired a cybersecurity consulting firm that attributed the breach to agents associated with the Chinese government.
Premera Blue Cross paid $74 million to settle a class-action lawsuit resulting from the data breach.
Cyber attack type: Phishing
Location: Washington State
Cost: $74 million
People affected: 11 million
Under the settlement of the lawsuit, the insurer agreed to improve its information security program. It began encrypting certain personal data, strengthened specific data security controls, and increased network monitoring.
Premera was also required to add stronger passwords, reduce employee access to sensitive data, enhance its email security, and perform annual third-party vendor audits.
2. American Medical Collection Agency
In 2018, hackers breached American Medical Collection Agency (AMCA), which supplied billing collections services for Quest Diagnostics, LabCorp, and others.
The unknown attacker was able to access and steal patient data, including Social Security numbers, addresses, dates of birth, medical information, and payment card information. The stolen data was later advertised for sale in underground forums on the dark web.
After AMCA’s four largest clients terminated their agreements, the company filed for bankruptcy. In the meanwhile, a multistate investigation into the breach by 41 attorneys general that concluded in December 2020 held the company liable for $21 million in injunctive damages.
Cyber attack type: Hacked online payment portal
Location: New York
Cost: $21 million (payment suspended unless certain terms of the settlement agreement are violated)
People affected: At least 21 million
AMCA migrated its web payments portal services to a different third-party vendor. It also hired an outside forensics firm to investigate the breach and retained additional experts to advise on and implement steps to increase its security.
1. Anthem, Inc.
In 2015, Anthem (formerly WellPoint) disclosed that attackers accessed its corporate database by way of a phishing email, thereby also gaining access to the organisation’s ePHI.
The hackers stole nearly 79 million records containing patient and employee data. Compromised data included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This is the largest healthcare industry cyber attack in history.
Cyber attack type: Phishing/Malware
Location: Indiana
Cost: $115 million
People affected: 78.8 million
Anthem agreed to pay $115 million to resolve the litigation. As part of the settlement, Anthem was also ordered to implement sweeping “changes to its data security systems and policies,” and to nearly triple its cybersecurity budget, wrote the U.S. District Judge who approved the settlement.
Reducing the Risk of a Data Breach
This list of the top 12 cybersecurity attacks in healthcare is far from comprehensive. Rather, it’s a reminder to risk managers in the healthcare industry about the critical importance of security and compliance fundamentals.
As these data breaches and many others have shown, the consequences of not having strong security practices in place can range from HIPAA penalties and fines to class-action lawsuits to bankruptcy to irreparable damage of brand reputation and patient trust.
Basic cybersecurity readiness includes performing a comprehensive security risk analysis, addressing vulnerabilities, providing ongoing employee training — both formal and informal —and continuously reviewing information system activity.
To defend against cybercriminals targeting the sector, healthcare organizations need visibility into what occurs across their environments, along with 24×7, real-time monitoring of suspicious activity, so they can take immediate action when necessary.
Security operations are critical for healthcare providers in their commitment to protect patients’ personal information. Organizations that have limited in-house expertise and resources should consider cost-effective alternatives to in-house security operations.
Learn more about how Arctic Wolf, the leader in security operations, can protect your healthcare organization through a range of security operations solutions.
