Cybercrime targeting the healthcare industry is big business and affects organizations across the spectrum, as breaches occur at a rate of 1.4 per day in the U.S. alone. And the risk is only increasing: According to the 2019 Healthcare Data Breach Report published by HIPAA Journal, "more healthcare records were breached in 2019 than in the six years from 2009 to 2014."
Healthcare records are a hot and valuable commodity on the dark web. As a result, healthcare firms have become a valuable target for hackers because of the large amount of personal health information in their possession.
In the decade between 2009 and 2019, there were 3,054 known healthcare data breaches involving 500 records or more. Those breaches have resulted in the exposure of 231 million healthcare records.
Let's take a look at 10 major cyberattacks from the past ten years in terms of how many people were affected.
The Biggest Healthcare Industry Cyberattacks
10. Banner Health
In 2016, hackers used malware to breach the payment processing system of Banner Health's food and beverage outlets. The system was then used as a gateway into the Banner Health network, eventually providing the hackers with access to servers containing patient data.
The cyberattack went undiscovered for nearly one month. Stolen data included highly-sensitive information, such as Social Security numbers, dates of services and claims, health insurance information, and more.
· Cyberattack type: Malware
· Location: Arizona
· Cost: $6 million
· People affected: 3.6 million
Following the data breach, Banner Health made upgrades to comply with payment card industry data security standards (PCI DSS), ramped up its security monitoring for cyberthreats and risks, and implemented tighter cybersecurity practices overall. Other changes involved areas of program governance, identity and access management, and network and infrastructure security.
9. Medical Informatics Engineering
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app.
Cyber thieves entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.
· Cyberattack type: Brute force attack/SQL injection/malware
· Location: Indiana
· Cost: $1 million
· People affected: 3.9 million
To address the situation, MIE notified the FBI and hired a team of third-party experts to remediate the attack vectors used by the cybercriminals. Since then, the organization has also made significant investments in additional safeguards and security measures, including security personnel, policies, procedures, controls, and monitoring/prevention tools. MIE also retained third-party vendors and applications to assist with protecting health information, as well as with auditing and certifying its information security program.
8. Advocate Medical Group
Between July and November 2013, Advocate Medical Group (AMG), a physicians' group with more than 1,000 doctors, reported three separate data breaches. In the first breach thieves stole four desktop computers from an administrative office in Park Ridge, Illinois. The computers contained the records of nearly 4 million patients.
The second breach involved an unauthorized third party, which gained access to the network of the billing services provider of AMG, and potentially compromised the health records of more than 2,000 patients. Finally, an unencrypted laptop containing patient records of more than 2,230 people was stolen from an AMG staffer's car.
Patient names, addresses, dates of birth, credit card numbers with expiration dates, as well as demographic information, clinical information, and health insurance data were compromised.
· Cyberattack type: Physical theft
· Location: Illinois
· Cost: $5.55 million
· People affected: 4 million
Post-breach, Advocate reinforced its security protocols and encryption program with associates. It also added 24/7 security personnel at the facility where the computers were stolen and accelerated deployment of enhanced technical safeguards.
7. Community Health Systems
In 2014, Community Health Systems, which at the time operated 206 hospitals in 29 states, suffered a network data breach that exposed the personal information of 4.5 million individuals. The organization's 8-K filing to the U.S. Securities and Exchange Commission stated that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems."
Compromised data included names, addresses, birthdates, telephone numbers, and Social Security numbers.
· Cyberattack type: Malware
· Location: Tennessee
· Cost: $3.1 million
· People affected: 4.5 million
Community Health Systems engaged an outside forensics expert to conduct a thorough investigation and remediation of this incident. The company then implemented a number of efforts designed to protect against future intrusions. This included implementing additional auditing and surveillance technology to detect unauthorized access, adopting advanced encryption technologies, and having users change their access passwords.
6. University of California, Los Angeles Health
In 2014, officials from UCLA Health discovered suspicious activity on its network. At the time, they determined that hackers had not gained access to systems containing personal and medical data.
However, in 2015, officials confirmed the cyberattack had indeed compromised systems with patient information—including names, Social Security numbers, dates of birth, health plan identification numbers, and medical data.
· Cyberattack type: malware
· Location: California
· Cost: $7.5 million
· People affected: 4.5 million
As a result of a class-action lawsuit, UCLA Health agreed to update its cybersecurity practices and policies. The organization also began working with the FBI and hired computer forensic experts to secure its network—implementing measures such as assessing emerging threats and potential vulnerabilities.
5. Science Applications International Corporation
A 2011 data breach at Science Applications International Corporation (SAIC) involved the theft of personal and medical records of millions of military patients and their families. The records were stored on back-up tapes, which were stolen from a data contractor's car.
· Cyberattack type: Physical theft
· Location: Texas
· Cost: Undisclosed
· People affected: 4.9 million
SAIC set up an incident response call center for those affected, but provided little additional detail about its plans for remediation.
4. Excellus Health Plan, Inc.
Excellus reported in 2015 that the data of 10 million clients might have been exposed in a cyberattack dating back to 2013.
Excellus hired a cybersecurity firm to conduct a forensic review of its computer systems. The third party found that the names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data of Excellus clients were compromised.
Cyberattack type: Malware
Location: New York
Cost: $17.3 million
People affected: 10 million
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot. The company said it moved quickly to close the vulnerability, and to strengthen and enhance the security of its systems moving forward.
3. Premera Blue Cross
In 2014, hackers sent a phishing email to a Premera employee. The email included a link to download a document containing malware. Once the employee clicked on the link and downloaded the document, the hackers were able to access Premera's server. The company failed to detect the breach for eight months. Premera hired a cybersecurity consulting firm that attributed the breach to agents associated with the Chinese government.
Premera Blue Cross paid $74 million to settle a class-action lawsuit resulting from the data breach.
· Cyberattack type: Phishing
· Location: Washington
· Cost: $74 million
· People affected: 11 million
Under the settlement of the lawsuit, the insurer agreed to improve its information security program. It began encrypting certain personal data, strengthened specific data security controls, and increased network monitoring. Premera was also required to add stronger passwords, reduce employee access to sensitive data, enhance its email security, and perform annual third-party vendor audits.
2. American Medical Collection Agency
In 2018, hackers were able to breach American Medical Collection Agency (AMCA), which provided billing collections services for Quest Diagnostics, LabCorp, and others.
The unknown attacker was able to access and steal patient data, including Social Security numbers, addresses, dates of birth, medical information, and payment card information.
The stolen data was later advertised for sale in underground web forums.
After AMCA's four largest clients terminated their agreements, the company filed for bankruptcy.
· Cyberattack type: Quest said that unauthorized activity took place on "AMCA's web payment page," which may suggest a card skimmer was in play.
· Location: New York
· Cost: $3.8 million
· People affected: 26 million
AMCA migrated its web payments portal services to a different third-party vendor. It also hired an outside forensics firm to investigate the breach and retained additional experts to advise on and implement steps to increase its security.
1. Anthem, Inc.
In 2015, Anthem (formerly WellPoint) disclosed that attackers gained access to a corporate database by way of a phishing email, thereby giving them access to the organization's protected health information.
The hackers stole nearly 79 million records containing patient and employee data. Compromised data included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This is the largest healthcare industry cyberattack in history.
· Cyberattack type: Phishing/malware
· Location: Indiana
· Cost: $115 million
· People affected: 78.8 million
Anthem agreed to pay a total of $115 million to resolve the litigation. As part of the settlement, Anthem was also ordered to implement sweeping "changes to its data security systems and policies," and to nearly triple its cybersecurity budget, wrote the U.S. District Judge who approved the settlement.
Reducing the Risk of a Data Breach
This list of the top 10 cybersecurity attacks in healthcare should serve as a stark reminder to all risk managers in the healthcare industry of the critical importance of security and compliance fundamentals. Basic cybersecurity readiness includes performing a comprehensive security risk analysis, providing ongoing employee training—both formal and informal—and continuously reviewing information system activity.
Healthcare providers must have visibility into what's going on across their environments and monitor in real time and around the clock for signs of suspicious activity. Then, they must be able to take immediate action when necessary.
Those that fail to do so may face crippling class-action lawsuits, irreparable damage to brand reputation and patient trust, and harsh financial penalties under HIPAA for not adequately protecting confidential customer information.
Healthcare companies that make a genuine commitment to improving their security operations to protect patients' personal information will avoid the misfortune of so many organizations before them.
Learn more about how Arctic Wolf can protect your healthcare organization.