Healthcare providers don't have the resources for cutting-edge defenses—and threat actors know this, so health records are a hot and valuable commodity on the dark web.
In fact, cyberattacks on healthcare providers have resulted in 3,705 data breaches and 267 million compromised medical records since 2009, HIPAA Journal reports.
In 2020, healthcare was the top industry in terms of the largest number of publicly disclosed breaches. Of 3,932 breach events in 2020, 484 (13 percent) involved healthcare providers, more than any other industry, according to a report by Risk Based Security. HIPAA Journal counted even more healthcare data breaches in 2020, putting the number at 642 data breaches of 500 or more records, a 25 percent increase compared to 2019.
As the number of data breaches continues to rise, here is a look back at the 12 biggest healthcare cyberattacks so far.
The Largest Healthcare Industry Cyberattacks
12. United Healthcare Services
United Health Services (UHS), which has more than 400 facilities and 3.5 million patients across the United States and United Kingdom, was the unfortunate victim of one of 2020’s most damaging ransomware attacks on the healthcare industry. The incident involved Ruyk, a strain that's been common in ransomware attacks on the global healthcare sector over the last two years.
The attackers crippled the organization’s entire IT network in the U.S. for several days in September, forcing staff to resort to offline processes, including paper records, as well as needing to redirect patients to other providers and cancel appointments. It took nearly a month for UHS to completely restore its systems.
Ransomware is such a significant threat to the healthcare sector that the U.S. Cybersecurity & Infrastructure Security Agency, the FBI, and the Department of Health and Human Services (HHS), issued an advisory in October 2020 warning that they “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." Ruyk was among the strains described in the advisory.
- Cyberattack type: Ransomware
- Location: Pennsylvania
- Cost: $67 million
Security researchers believe it’s likely the attack started with a phishing email. Although there's no indication of leaked data, the incident cost the company $67 million in recovery expenses, labor costs, and lost revenues.
In October 2020, a U.S. senator sent a letter to the company's CEO, questioning the health system's vulnerability management process, especially patch management, as well as its third-party risk management, segmentation, and other practices.
11. Magellan Health
One of 2020's biggest healthcare cyberattacks started in April with a sophisticated spear phishing campaign impersonating a client’s communications. Through social engineering, the attackers compromised Magellan Health's employee credentials, used malware to gain access to more accounts and network systems, exfiltrated sensitive data, and then launched a ransomware attack.
Initially, the Fortune 500 healthcare company reported that 365,000 patient records—including physical and email addresses, phone numbers, Social Security numbers, treatment records, and employee payroll data—were affected. However, the tally later skyrocketed to nearly two million.
- Cyberattack type: Ransomware
- Location: Arizona
- People affected: 1.7 million
This was the second phishing-related data breach for Magellan Health in the span of a year.
While the cost of the attack is yet unknown, the price tag will most likely rise as former employees filed a class-action suit. The lawsuit alleged that Magellan Health failed to follow security best practices and “adequately invest in cybersecurity measures," despite being a multibillion-dollar company.
10. Trinity Health
Trinity Health experienced the largest impact among healthcare providers as a result of the 2020 ransomware attack on Blackbaud, a vendor of cloud-based customer relationship management software.
The attack on one of Blackbaud's self-hosted cloud servers affected hundreds of customer organizations around the world, including more than two dozen healthcare organizations, and led to the compromise of more than 10 million records.
Blackbaud stopped the cybercriminals before they fully encrypted files in the hacked databases, but not before they exfiltrated sensitive data. The company paid an undisclosed sum to the hackers to destroy the stolen data.
- Cyberattack type: Third-party vendor
- Location: Michigan
- People affected: 3.32 million
Trinity Health's donor database was among the files the attackers managed to steal. It included electronic protected health information (ePHI) such as dates of birth, physical and email addresses, Social Security numbers, treatment information, and financial payment data.
Blackbaud said it fixed the vulnerability that attackers exploited. HHS, which enforces the Healthcare Insurance Portability and Accountability Act (HIPAA), and other agencies are investigating the incident.
9. Banner Health
In 2016, hackers used malware to breach the payment processing system of Banner Health's food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data.
The cyberattack went undiscovered for nearly a month. Stolen data included highly-sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.
- Cyberattack type: Malware
- Location: Arizona
- Cost: $6 million
- People affected: 3.6 million
Following the data breach, Banner Health made upgrades to comply with payment card industry data security standards (PCI DSS), ramped up its security monitoring for cyberthreats and risks, and implemented tighter cybersecurity practices overall. Other changes involved areas of program governance, identity and access management, and network and infrastructure security.
8. Medical Informatics Engineering
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app.
Cyberthieves had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.
Cyberattack type: Brute force attack/SQL injection/malware
Cost: $1 million
People affected: 3.9 million
To address the situation, MIE notified the FBI and hired a team of third-party experts to remediate the attack vectors the cybercriminals used successfully. Since then, the organization has also made significant investments in additional safeguards and security measures, including security personnel, policies, procedures, controls, and monitoring/prevention tools.
MIE also retained third-party vendors and applications to assist with protecting health information, as well as with auditing and certifying its information security program.
7. Advocate Medical Group
Between July and November 2013, Advocate Medical Group (AMG), a physicians' group with more than 1,000 doctors, reported three separate data breaches. In the first breach, thieves stole four desktop computers from an administrative office in Park Ridge, Illinois. The computers contained the records of nearly 4 million patients.
The second breach involved an unauthorized third party, which gained access to the network of the billing services provider of AMG and potentially compromised the health records of more than 2,000 patients. Finally, an unencrypted laptop containing patient records of more than 2,230 people was stolen from an AMG staffer's car.
Patient names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information, and health insurance data were compromised.
Cyberattack type: Physical theft
Cost: $5.55 million
People affected: 4 million
After the breach, Advocate reinforced its security protocols and encryption program with its associates. It also added 24x7 security personnel at the facility where the computers were stolen and accelerated deployment of enhanced technical safeguards.
6. Community Health Systems
In 2014, Community Health Systems, which at the time operated 206 hospitals in 29 states, suffered a network data breach that exposed the personal information of 4.5 million individuals. The organization's 8-K filing to the U.S. Securities and Exchange Commission (SEC) stated that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems."
Compromised data included names, addresses, birth dates, telephone numbers, and Social Security numbers.
- Cyberattack type: Malware
- Location: Tennessee
- Cost: $3.1 million
- People affected: 4.5 million
Community Health Systems engaged an outside forensics expert to conduct a thorough investigation and remediation of this incident. The company then implemented a number of efforts designed to protect against future intrusions. This included implementing additional auditing and surveillance technology to detect unauthorized access, adopting advanced encryption technologies, and having users change their access passwords.
5. University of California, Los Angeles Health
In 2014, officials from UCLA Health discovered suspicious activity on its network. At the time, they determined that hackers had not gained access to systems containing personal and medical data.
However, in 2015, officials confirmed the cyberattack had indeed compromised systems with patient information—including names, Social Security numbers, dates of birth, health plan identification numbers, and medical data.
Cyberattack type: Malware
Cost: $7.5 million
People affected: 4.5 million
As a result of a class-action lawsuit, UCLA Health agreed to update its cybersecurity practices and policies. The organization also began working with the FBI and hired computer forensic experts to secure its network—implementing measures such as assessing emerging threats and potential vulnerabilities.
4. Excellus Health Plan, Inc.
Excellus reported in 2015 that the data of 10 million clients might have been exposed in a cyberattack dating all the way back to 2013.
Excellus hired a cybersecurity firm to conduct a forensic review of its computer systems. The third-party firm found that the names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data of Excellus clients were compromised.
- Cyberattack type: Malware
- Location: New York
- Cost: $17.3 million
- People affected: 10 million
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot. The company said it moved quickly to close the vulnerability, and to strengthen and enhance the security of its systems moving forward.
3. Premera Blue Cross
In 2014, hackers sent a phishing email to a Premera employee. The email included a link to download a document containing malware. Once the employee clicked on the link and downloaded the document, the hackers were able to access Premera's server.
Premera failed to detect the breach for eight months. The company hired a cybersecurity consulting firm that attributed the breach to agents associated with the Chinese government.
Premera Blue Cross paid $74 million to settle a class-action lawsuit resulting from the data breach.
- Cyberattack type: Phishing
- Location: Washington State
- Cost: $74 million
- People affected: 11 million
Under the settlement of the lawsuit, the insurer agreed to improve its information security program. It began encrypting certain personal data, strengthened specific data security controls, and increased network monitoring.
Premera was also required to add stronger passwords, reduce employee access to sensitive data, enhance its email security, and perform annual third-party vendor audits.
2. American Medical Collection Agency
In 2018, hackers breached American Medical Collection Agency (AMCA), which provided billing collections services for Quest Diagnostics, LabCorp, and others.
The unknown attacker was able to access and steal patient data, including Social Security numbers, addresses, dates of birth, medical information, and payment card information. The stolen data was later advertised for sale in underground forums on the dark web.
After AMCA's four largest clients terminated their agreements, the company filed for bankruptcy. In the meanwhile, a multistate investigation into the breach by 41 attorneys general that concluded in December 2020 may hold the company liable for $21 million in injunctive damages.
- Cyberattack type: Hacked online payment portal
- Location: New York
- Cost: $3.8 million (and growing)
- People affected: 26 million
AMCA migrated its web payments portal services to a different third-party vendor. It also hired an outside forensics firm to investigate the breach and retained additional experts to advise on and implement steps to increase its security.
1. Anthem, Inc.
In 2015, Anthem (formerly WellPoint) disclosed that attackers accessed its corporate database by way of a phishing email, thereby also gaining access to the organization's ePHI.
The hackers stole nearly 79 million records containing patient and employee data. Compromised data included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This is the largest healthcare industry cyberattack in history.
- Cyberattack type: Phishing/malware
- Location: Indiana
- Cost: $115 million
- People affected: 78.8 million
Anthem agreed to pay a total of $115 million to resolve the litigation. As part of the settlement, Anthem was also ordered to implement sweeping "changes to its data security systems and policies," and to nearly triple its cybersecurity budget, wrote the U.S. District Judge who approved the settlement.
Reducing the Risk of a Data Breach
This list of the top 12 cybersecurity attacks in healthcare is only the tip of the iceberg. It's a reminder to risk managers in the healthcare industry about the critical importance of security and compliance fundamentals.
As these data breaches and many others have shown, the consequences of not having strong security practices in place can range from class-action lawsuits to irreparable damage to brand reputation and patient trust. In addition, there's the steep financial cost of recovery and HIPAA penalties and fines.
Basic cybersecurity readiness includes performing a comprehensive security risk analysis, addressing vulnerabilities, providing ongoing employee training—both formal and informal—and continuously reviewing information system activity.
To defend against cybercriminals targeting the sector, healthcare organizations need visibility into what occurs across their environments, along with 24x7, real-time monitoring of suspicious activity so they can take immediate action when necessary.
Security operations are critical for those healthcare providers in their commitment to protect patients' personal information. Organizations that have limited in-house expertise and resources should consider cost-effective alternatives to in-house security operations.
Learn more about how Arctic Wolf, the leader in security operations, can protect your healthcare organization through a range of security operations solutions.