10 Major Medical Data Breaches (And What You Can Learn From Them)

10 Major Medical Data Breaches

Just as technology helps the healthcare industry with delivering patient care via a balancing act of convenience, data storage and access to decision support tools. It also presents serious cybersecurity risks.

If you think about it: the easier it is for you to access Protected Health Information (PHI), the easier it is for cybercriminals to do so as well unless the proper safeguards are put in place.

If you want to take advantage of the benefits that modern healthcare technology has to offer, then you have a responsibility to make sure it’s properly secured against today’s common cybercrime threats.

Unfortunately, throughout the industry, that doesn’t appear to be the case…

10 Medical Sector Data Breaches Since 2017

  1. 2.6M Records Breached – ACCUDOC Solutions, Inc. (Nov. 2018): Cybercriminals gained access to private patient data through a third-party vendor’s vulnerability.
  2. 1.2M Records Breached – Employees Retirement System of Texas (Oct. 2018): A software bug present in the ERS systems used by the organization allowed outside parties to view private patient data.
  3. 679K Records Breached – Commonwealth Health Corporation (March 2017): With no justifiable cause, an employee downloaded patient data onto a CD and USB drive.
  4. 582K Records Breached – CA Department of Developmental Services (April 2018): Thieves broke into DDS offices and stole hardware that contained hundreds of thousands of patient records.
  5. 556K Records Breached – MSK Group (May 2018): This organization’s group network was accessed, compromising personal patient data.
  6. 566K Records Breached – CNO Financial Group (Oct. 2018): Via phishing, cybercriminals gained access to a range of patient medical and financial data.
  7. 538K Records Breached – LifeBridge Health Inc. (May 2018): Malware was present on the organization’s systems for over two years, providing wide access to patient data (and resulting in a class-action lawsuit against LifeBridge).
  8. 500K Records Breached – Airway Oxygen Inc. (June 2017): Cybercriminals executed a ransomware attack, using a range of patient data to hold Airway at ransom.
  9. 417K Records Breached – AU Medical center, Inc. (August 2018): Multiple phishing attacks over the course of two years provided hackers with access to a range of patient medical data.
  10. 326K Records Breached – UCONN Health (Feb. 2019): A cybercriminal used phishing tactics to access the organization’s database and the medical data stored within it.

How To Prevent A Data Breach

You’ll notice that there are really only a few patterns present in these attacks which counted together have resulted in millions of breached patient records. By implementing just a few straightforward cybersecurity practices, you can easily mitigate many of these risks.

Protect & Back Up Your Data

In prevention, you need to make sure your staff understands how ransomware works, and how it tends to make it onto a victim’s network – that is, by tricking an unsuspecting user into opening an email that’s carrying ransomware and triggers the breach.

In the end, it comes down to whether or not you have a data backup. If you do, then it doesn’t matter if your data has been encrypted. You can just replace it with a known good backup, it is as simple as that. Although, this solution relies on having a verified and tested backup to fall back on the sad truth is most do not have a viable backup that will enable a quick recovery.

When developing your data protection processes, keep these three recommendations in mind:

  • Make a considerable investment in a comprehensive backup data recovery solution so that you can restore your data at a moment’s notice when necessary.
  • Train your employees to recognize spoofed and false emails so that they don’t download a malware-infected attachment and help the hacker encrypt your data. This item alone will have the biggest impact if it is successful as the ransomware is avoided and the breach did not happen.
  • Be sure to make the most of the available resources (both via a trusted peer source and through an expert IT support professional) to ensure that you’re not overlooking vulnerabilities in your IT security.

Beyond the simple security updates, it’s worth noting that most ransomware often penetrates many systems via conventional phishing schemes, in which a fraudulent email requests that the recipient downloads an attachment, or clicks a link.

Train Your Staff To Recognize Phishing Emails

Make sure that you and your staff are on the lookout for suspicious emails, as they are likely part of a phishing scam – but how can you know for sure?

  1. Watch For Overly Generic Content And Greetings
    Cybercriminals will send a large batch of emails. Look for examples like “Dear valued customer.”
  2. Examine The Entire From Email Address
    The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain (a look alike domain)..
  3. Look For Urgency Or Demanding Actions
    “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.”
  4. Carefully Check All Links
    Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
  5. Don’t Click On Attachments Right Away
    Virus containing attachments might have an intriguing message encouraging you to open them such as “Here is the Schedule I promised.”

Implement a Business Associate Agreement

Your BAA should require a Business Associate to:

  • Have appropriate safeguards in place and take any necessary steps to comply with the provisions of the Security Rule where applicable to your circumstances
  • Have a process in place to notify you of any unauthorized use or disclosure of PHI that the Business Associate becomes aware of, including breaches of unsecured PHI and security incidents
  • Take steps to ensure that any subcontractors employed by the Business Associate to receive, maintain, create, or transmit PHI on the Business Associate’s behalf are in agreement with and will be held to the same restrictions and conditions as the Business Associate
  • Provide ready availability of PHI to individuals with certain rights (access, amendment, accounting, etc.)
  • Have their internal practices and records relating to the use and disclosure of any and all PHI made available to the Secretary of the Department of Health and Human Services (HHS) for the purpose of determining your practice’s HIPAA compliance
  • Agree in clear terms regarding the return or destruction of all PHI if the BAA is terminated. If PHI cannot be returned or destroyed for any reason, the Business Associate must agree to extend the protections offered by the BAA and limit any further uses and disclosures of the PHI in question

Work With A Cybersecurity Expert

If you’re not sure about how to ensure your protection against ransomware and other cybercrime threats, then don’t try “fake it ’till you make it”. Be sure to consult an expert if you’re unsure as to the state of your healthcare organization’s cybersecurity defenses.

Like this article? Check out the following blogs to learn more:

11 Ways You Can Benefit From Assisted IT Services

Managed IT Helps Your Bottom Line: 6 Ways How

5 Ways Managed IT Services Is the Right Choice for Your Business

Contact Info

Stay Connected