Data breaches are a constant threat in healthcare. Even the possibility of a leak of personal health information requires action. The organization responsible has to report the breach to the Office of Civil Rights and notify the people who could have been affected. Some of the events in 2016 had an impact on millions.
Here are ten of the biggest breaches reported last year. The causes varied. Intrusions into computer networks were the most significant source of breaches, but stolen devices and mishandling of paper records also figured in. Ransomware attacks that damaged data without exposing it aren’t included.
How do we assess which ones did the most damage? The raw number of compromised records is only one factor, though it’s the easiest to quantify. Some kinds of information are more damaging than others. The likelihood that the files actually fell into criminal hands or public view affects the severity. It’s hard to put a number on these factors, but the order of this list tries to take all of them into account.
1. Banner Health
An online attack on Banner Health in Phoenix, Arizona, put the personal health records or credit card information of 3.62 million people at risk. This breach ranks at the top both for its raw number and for its severity.
The entry came through point-of-sale terminals at the system’s food service locations. PoS terminals are often a weak point in computer networks, and the terminals were on the same network as Banner’s clinical systems. The attack started on June 17, and Banner discovered it on July 13. Although this was the biggest breach of 2016, it fell far short of the 78 million people affected by the Anthem breach of 2015.
Healthcare information that the attack compromised included patient names, birthdates, claim information, and Social Security numbers. Multiple lawsuits have followed.
The severity of the breach was largely the result of not keeping data separate. Banner didn’t isolate its retail credit card processing from its clinical network. Both systems contained sensitive information, and criminals going after credit card information were able to grab personal health information with little extra effort.
2. 21st Century Oncology
On March 4, 21st Century Oncology announced that a breach of its patient information had occurred in 2015. The FBI had notified the nationwide cancer treatment organization of the violation on November 13. It asked 21st Century to delay telling the public to better conduct an investigation. Normally, it’s mandatory to notify affected people within 60 days of the discovery.
21st Century told 2.2 million patients of the incident. Compromised information included patients’ names, Social Security numbers, diagnoses, treatment information, and insurance information.
The Web page where 21st Century Oncology explained the breach has been deleted or moved.
3. Newkirk Products
On May 21, someone broke into a server belonging to Newkirk Products, which provides management services and identification cards for health insurance plans. Newkirk announced the breach on August 5. The leak included members’ names, mailing addresses, program information, primary care providers, and Medicaid numbers. Four Blue Cross Blue Shield organizations were among the affected insurers. About 3.3 million people’s records were affected, but no Social Security numbers, credit card information, or claim information was leaked.
The number of affected records exceeded the 21st Century breach, but it gets the third place here because of the less sensitive nature of the compromised information.
4. Peachtree Orthopaedic Clinic
The violation at Peachtree Orthopaedic Clinic outranks some cases with a bigger number of exposed records. In this case, there’s evidence that documents were stolen and offered for sale, rather than just being vulnerable. On September 22, the Atlanta-based clinic discovered that protected health information on about 531,000 patients had been compromised. It promptly notified patients and the FBI.
Reports on the Internet say that a person or organization called “TheDarkOverlord” acquired confidential patient information and made extortion demands. Some accounts had weak passwords, making the break-in easier. The aim might have been to get information on members of Atlanta sports teams, with blackmail rather than the black market in mind.
5. Valley Anesthesiology and Pain Consultants
Someone broke into the systems belonging to Valley Anesthesiology and Pain Consultants on March 30, and VAPC discovered the breach on June 13. A forensics firm investigated but couldn’t say definitely whether the attacker obtained confidential patient information or not. The systems held patient names, insurance identification numbers, Social Security numbers, bank account numbers, and other information. About 882,590 patients’ information was at risk.
VAPC provides services to 21 hospitals. Little information is available about the breach’s source or nature.
6. Bon Secours Health System
On June 14, just a day after VAPC announced its data breach, Bon Secours Health System discovered that records on 655,000 patients had been left exposed. One of its vendors, R-C Healthcare Management, had misconfigured its network in April, exposing data on patients in Virginia, South Carolina, and Kentucky. Patient names, Social Security numbers, and bank account information may have been exposed, though not medical records. R-C’s error may have exposed data from another medical center as well.
Bon Secours runs twenty hospitals and other healthcare facilities. No positive evidence unauthorized people obtained patient information or that they didn’t.
7. California Correctional Health Care Services
Some breaches start with the theft of a device. This happened to California Correctional Health Care Services on February 25 when a laptop computer was stolen from a staff member’s car. It held personal health information on up to 400,000 people. CCHCS reported the incident on May 16.
What made this theft really problematic was that the information on the computer wasn’t encrypted, but only password-protected. Bypassing the password isn’t difficult when a thief has physical possession of a device. According to the CCHCS report, it may have held personally identifiable information and personal health information for people incarcerated between 1996 and 2014. This presumably includes the fact that they were imprisoned. There was no record of which individuals’ information was on the laptop, so CCHCS notified everyone who might plausibly have been affected.
8. Central Ohio Urology Group
The breach of the Central Ohio Urology Group’s files was especially severe because someone posted some of those files to the Internet. They included information on patients, employees, and payers. This information contained names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, diagnosis information, and more.
A Ukrainian political group is reported to have stolen the documents, perhaps just to draw attention to itself. For maximum dramatic effect, it announced the availability of the material on Twitter. 300,000 individuals were affected. The attacker reportedly used SQL injection, which is a common way to take advantage of bugs in computer code.
9. Radiology Regional Center
Data breaches don’t always involve computers. On February 12, the Radiology Regional Center in Florida reported that documents had fallen off a truck carrying them for incineration. The Lee County Solid Waste Division lost them on December 19, 2015, with papers flying all over driveways, sidewalks, and canals. Employees of RRC, including doctors, searched the streets in Fort Myers for the next few days, recovering nearly all the documents. As many as 480,000 people’s records were in the load.
The cause was a county employee’s leaving a door unlocked on the truck. The records included accounting statements, phone bills, and invoices. Most of the information was at least ten years old, but much of it could still be valid. The information included patients’ names, birth dates, health insurance numbers, and Social Security numbers.
10. Premier Healthcare
A stolen laptop led to the exposure of 205,748 patient records from Premier Healthcare in Bloomington, Indiana. The computer was password-protected but not encrypted. On January 4 it was discovered to be missing from the billing department, in a locked area where the public wasn’t supposed to be. [http://www.healthcareitnews.com/news/premier-healthcare-faces-possible-data-breach-could-affect-200000-patients] It isn’t known whether the thief made any use of the records or not. The records included names, addresses, birth dates, Social Security numbers, financial information, and insurance information.
The computer came back in the mail on March 7. An examination of the machine suggested it had never been powered up. This remains a mystery, but people will accept good fortune whenever they can.
Looking toward 2017
Unfortunately, information losses are going to continue into 2017 and beyond. New kinds of attacks will develop. It’s impossible to prevent all breaches, so it’s necessary to detect them and act on them as quickly as possible, to minimize the damage. A prompt response minimizes the damage to an organization’s reputation, even if admitting to the problem is painful, and it reduces the likelihood of significant HIPAA fines.
Data security is particularly challenging for healthcare organizations because they have simultaneous commitments to keeping data private and secure, and to making it available where it’s necessary for the patient’s well-being. Healthcare organizations need to find ways to do both.