Though many of us know that healthcare data is valuable, not all of us are aware of exactly how valuable it is. Electronic health records (EHRs) are a one-stop shop for all the data a hacker wants: medical, financial, and personal. Some data doesn’t age either—for example, your birth date and Social Security number never change.
And whereas credit card theft can quickly be reported to the financial institution, so immediate action can be taken, approximately two-thirds of healthcare breaches go undetected for months or even years.
This makes it easier for cyber criminals to access and then sell large batches of personal data on the dark web, create fake medical IDs to buy medical equipment, or file fictitious claims with insurers.
Because of how valuable EHR data is, healthcare data breaches have become increasingly more sophisticated, resulting in larger numbers of records being exposed.
The statistics are frightening—89% of all healthcare organizations have experienced a data breach, and 88% of all ransomware attacks target the healthcare industry.
What’s the cost? The average cost of a healthcare data breach is $408 per stolen record, $260 more per record than the global average across other industries.
Still not scared? Here are a few of the biggest healthcare breaches in history—and why they scare even us!
Worst of All Time: Anthem Blue Cross
Anthem Blue Cross is one of the biggest health insurance providers in the United States. To date, the Anthem Blue Cross breach is the worst healthcare data breach of all time.
In February 2015, Anthem announced that it had suffered a major data breach.
Two months earlier, employees began to notice suspicious queries in the system. Incursions continued until the end of January 2015. In the end, a total of 375 million records were breached, exposing the information of 80 million Americans.
Although no credit card data was stolen, plenty of other data was compromised, including full names, physical addresses, email addresses, Social Security numbers, birth dates, insurance membership numbers, medical IDs, employment information, and income data.
In the aftermath, Anthem became the subject of multiple lawsuits and, ultimately, paid out a $115 million settlement—the largest ever for a data breach. The company also spent more than $260 million on security-related measures, including engaging expert consultants, implementing security improvements, notifying affected individuals, and providing credit protection to customers impacted by the breach.
Why was this breach so scary?
It could have been prevented. Anthem didn’t encrypt the stolen information because it wasn’t covered by HIPAA or HITECH.
Hackers were able to get their hands on network credentials for multiple privileged users who had high-level access to the IT system. Most likely, they accessed these credentials through a phishing attack.
To add insult to injury, the Anthem breach triggered additional phishing scams. Customers received fraudulent emails that included a “click here” link for credit monitoring.
Runner-up: Premera Blue Cross
To date, the Premera Blue Cross breach is the second largest (and scariest) healthcare data breach, affecting 11 million people. Like Anthem, Premera is a health insurance company.
The Premera Blue Cross breach was discovered on the same day as the Anthem breach. However, the initial attack occurred in May 2014. The attackers were able to penetrate Premera’s network and deploy sophisticated tools and tactics to gain broad access to Premera's network.
Although the breach involved a malware attack, further investigation was unable to determine if the source was a phishing email, a contaminated website, or another source of intrusion.
Currently, a lawsuit is before the courts arguing that Premera failed to protect consumers against this data breach. Unlike in the Anthem breach, both medical and financial information was exposed. The stolen data went back 13 years and included everything from medical records and bank account information to Social Security numbers and dates of birth.
Why was the Premera breach so scary?
Premera was warned three weeks before the breach took place that it lacked sufficient network security. The company failed to implement critical patches and other software updates in a timely manner. Auditors found that several servers contained software applications so old that they were no longer supported by the vendor and had known security problems. Additionally, servers contained "insecure configurations" that could grant hackers access to sensitive information.
The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled. . . . Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name,” stated John Yanchunis, an attorney for the firm representing the plaintiffs, in a 2015 HealthcareInfoSecurity.com article about the breach.
Rounding Out the Top 3: Excellus Blue Cross Blue Shield
The health insurance company Excellus Blue Cross Blue Shield experienced the third largest healthcare breach of all time. More than 10 million people were affected in the company’s 2015 data breach.
In September 2015, Excellus announced it had suffered a data breach. The breach actually started in 2013, but it took the company 20 months to detect it. Hackers took member names, dates of birth, SSNs, medical claims data, financial account information, addresses, and phone numbers.
In the resulting, and ongoing, class action lawsuit, plaintiffs claim that Excellus didn’t take adequate measures to protect their data. So far, Excellus has spent more than $17 million on credit monitoring and protection services alone.
Why was this breach so scary?
An audit that took place a year before the breach began noted that risk assessment policies and procedures failed to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (PHI).
Moreover, it took almost two years to detect the breach—giving hackers plenty of time to access and steal customer records.
2018’s Worst Data Breaches (So Far)
Between January and July 2018 (the most recent data available), 221 breaches were reported for a total of almost 5.5 million exposed records.
The three worst so far are: UnityPoint Health, the California Department of Developmental Services, and MSK Group, in that order. It’s too early to tell what penalties will arise from these breaches, but if recent history is any judge, it’s quite likely clients will sue in court for losses or damages.
The government could also levy financial penalties against these organizations. HIPAA penalties can range anywhere from $100 to $50,000 per record, with a maximum fine of $1.5 million per year.
UnityPoint’s March breach affected 1,421,107 individuals. It was caused by phishing attack that spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails, giving hackers access to internal email accounts for nearly a month. Worse still, this was the second breach they’ve suffered this year.
California’s Department of Developmental Services
The California DDS’s February breach affected 582,000 individuals. This breach was the result of a low-tech attack that escalated; vandals ransacked a state office and stole 12 encrypted government computers. Due to extensive fire and water damage, investigators were unable to determine whether records containing PHI in the office were compromised.
The last in this roundup, the breach of MSK Group (an orthopedic practice), affected 566,236 individuals. A May security incident uncovered that unauthorized access to parts of MSK Group’s network containing PHI had occured over a period of several months. Fortunately, it does not look like any of this information was removed from the network.
What Can Be Done?
No one wants to face the financial penalties, lawsuits, and reputational damage that data breaches inflict on organizations. These breaches drive the need for more complete and integrated identity and access management (IAM) technologies that strengthen security, while still enabling high-quality patient care.
IAM protects against data breaches by ensuring that only authorized personnel can access sensitive data. IAM uses features such as:
- Multi-factor authentication (MFA), which mitigates the “human factor” with risk-based authentication
- Privileged access management, which protects accounts with elevated privileges
- Identity lifecycle management, which automates deprovisioning and access changes to eliminate the risk of orphan accounts and entitlement creep
- Comprehensive identity governance capabilities, which enforce least privilege access, conduct access reviews and certifications, and provide comprehensive audit logging and reporting
Breaches aren’t going to go away. However, putting the right solution in place can help quell your organization’s fears of becoming the next headline.