Top 10 healthcare data breaches of 2016
Here is the annual countdown of the Top 10 healthcare data breaches of 2016, in the US.
- Premier Healthcare, LLC
Premier Healthcare reported a potential healthcare data breach in March, affecting 205,748 individuals, according to OCR- the US Office for Civil Rights (OCR) | HHS.gov
HHS ensures that people have equal access and opportunities to participate in certain health care and human services programs without unlawful discrimination.
A laptop was stolen from Premier’s billing department, but was returned to the provider in the mail “on or about March 7, 2016.” An investigation determined that the laptop had not been powered on since it went missing on December 31, 2015.
Premier also explained in its online statement that there was no evidence showing that the information on the laptop was inappropriately accessed.
- Central Ohio Urology Group, Inc.
Central Ohio Urology Group (COUG) reported in October that an unauthorized individual posted files and documents to an online drive accessible on the Internet on August 2, 2016.
The information of 300,000 patients, employees, and individuals who paid for medical services was reportedly affected.
While the information was removed from the drive within hours, names, addresses, telephone number(s), emails, dates of birth, Social Security numbers, driver’s license-state identification numbers, patient identification numbers, medical and health plan information, account information, diagnoses or treatment information, health insurance information and identifiers, and employment-related information may have been exposed. All they left out was “the kitchen Sink”!
- California Correctional Health Care Services
California Correctional Health Care Services had 400,000 individuals affected by a possible data breach in April, according to OCR.
PHI may have been exposed for patients in the California Department of Corrections and Rehabilitation who were incarcerated between 1996 and 2014 when an unencrypted work laptop was stolen from an employee’s personal vehicle. However, California Correctional Healthcare Services said that the device was password-protected.
Appropriate actions were immediately implemented and shall continue to occur, said Director of Communications and Legislation. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.
- Radiology Regional Center, PA
Florida-based Radiology Regional Center reported in February 2016 that patient information may have been exposed after some paper records were found on a street on December 19, 2015. Approximately 483,000 individuals were affected, OCR reported.
A small quantity of records fell onto the street while being transported by Lee County Solid Waste Division, Radiology Regional explained. That company is also responsible for the disposal of Radiology patient records.
As a result of our numerous searches, they believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, they have taken steps to change how paper records are transported and destroyed.
- Peachtree Orthopaedic Clinic
Peachtree Orthopaedic Clinic reported to OCR in November that 531,000 individuals may have been impacted by a cybersecurity attack it experienced on September 22, 2016.
Patient names, home addresses, email addresses, and dates of birth were “potentially taken” in the unauthorized access, Peachtree said in its online statement. Patient treatment codes, prescription records, or Social Security numbers may also have been taken in some cases.
Individuals who were patients prior to July 2014 “may be affected,” while there were also a “small number of cases” where individuals who were patients after that time may also have been impacted.
- Bon Secours Health System Incorporated
South Carolina’s Bon Secours Health System, Inc. reported in August 2016 that 651,971 were likely affected by a data breach stemming from a vendor error.
The vendor, R-C Healthcare Management, inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016-just 4 days.
While medical records were not made accessible, patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information may have been exposed.
- Valley Anesthesiology and Pain Consultants
Valley Anesthesiology and Pain Consultants (VAPC) notified OCR in August 2016 that 882,590 individuals may have been impacted by unauthorized access on one of its computer systems.
The initial hacking may have occurred on March 30, 2016, but VAPC became aware of the incident on June 13, 2016.
Patient data, provider information, and certain employee information may have been exposed, according to VAPC. Those whose Social Security numbers or Medicare numbers were involved were offered free credit monitoring and identity protection services.
- 21st Century Oncology
A 21st Century Oncology database was inappropriately accessed by an unauthorized third party toward the end of 2015, potentially exposing information of 2,213,597 individuals.
21st Century notified OCR in March 2016, claiming in an online statement that the delay occurred because the FBI had requested a delay in notification so there would be no interference in its investigation.
The intruder may have accessed the database on October 3, 2015, possibly compromising patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century explained. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
- Newkirk Products, Inc.
Newkirk Products, Inc. issues healthcare ID cards for health insurance plans, and announced in August 2016 that it had experienced a cybersecurity attack. OCR lists 3,466,120 individuals as potentially having had their information affected.
On July 6, 2016, Newkirk discovered that a server containing member information was accessed without authorization, and Newkirk shut down the server, started an investigation into the incident. They hired a third party forensic investigator to determine the extent of the unauthorized access and whether the personal information of its clients’ members may have been accessed. Newkirk also notified federal law enforcement.
At the initial announcement, Newkirk stated that no health plan systems were accessed or affected in any way. However, potentially accessed information included some combination of member names, mailing addresses, type of plan, member and group ID numbers, names of dependents enrolled in the plan, primary care providers, and in some cases, dates of birth, premium invoice information and Medicaid ID numbers.
- 1. Banner Health
The largest reported data breach in the healthcare sector for 2016 was Banner Health, with 3.62 million individuals impacted by a cybersecurity attack that occurred over the summer.
Banner discovered the issue on July 13, 2016, but a third-party forensics investigation found that the initial attack occurred on June 17, 2016-almost a month later!
There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack, according to Banner.
Patients, members and beneficiaries, and food and beverage outlet customers may have all had certain information exposed.
The food and beverage outlet breach was discovered on July 7, 2016, while payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. Arkansas, Arizona, Colorado, and Wyoming all have possibly affected locations.
The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems, explained Banner.
However, the list would be incomplete, if we did not include the following hacks in 2016:
- CIA discloses Russia intervened with U.S. Election,
- And the spectacular $81 million Bangladesh cyber heist.
Not to be “out gunned”, the Yahoo hack, which saw a billion customers have their credentials stolen.
It has been a long time since Yahoo has been number one in any market, but in September 2016, it “achieved” a new distinction: the single largest public data breach in human history.
In summary, the numbers are astonishing, with tectonic shift-like potential implications for companies and organizations of all kinds: 500 million+ accounts affected, 4.8 billion dollar Verizon acquisition of Yahoo now clearly in jeopardy.
Two years from incident’s estimated starting point to Yahoo’s detection and public disclosure of the breach.
Nearly doubled 2016’s already history-making publicly acknowledged data breach record count.
The bad guys had a busy year in 2016, and I think that it is safe to say, 2017 will be worse.