Healthcare is a highly sensitive and heavily regulated industry. Recently, the healthcare and life science industry is being overwhelmed by cyberthreats. The rising demand for improved quality healthcare, products, experiences, services, and information has left the industry vulnerable to bad actors wanting to capitalize on the weakness. This past year proved to be a particularly dire year for the healthcare industry facing data breaches. Overall, 40,099,751 individuals' records were affected by exposures reported to the federal government.
As required by HITECH and HIPAA, covered entities must report healthcare data breaches of unsecured protected health information (PHI.)More than 550 organizations reported healthcare data breaches to the federal government in 2021, impacting over 40 million individuals. One has to wonder about the unreported extent of unreported cases.
For anyone who needs a summary of the year’s events, Healthcare IT News has compiled a list of the largest public cloud data breaches reported in the U.S.
Organization: 20/20 Eye Care Network, Inc.
Date reported: 5/24/2021
Number of individuals affected: 3,253,822
What happened? The eye care network 20/20, which provides eye and ear care services and administration, discovered suspicious activity in its Amazon Web Services environment. After an investigation, it determined that data had been potentially removed, possibly including personal information. Later 20/20 faced a lawsuit over the breach.
Organization: Forefront Dermatology
Date reported: 7/8/2021
Number of individuals affected: 2,413,553
What happened? The Wisconsin-based organization, which has locations in 21 states and the District of Columbia, reported that an intrusion resulted in unauthorized access to certain files on Forefront's IT system containing patient and employee information.
Organization: NEC Networks, LLC
Date reported: 5/5/2021
Number of individuals affected: 1,656,569
What happened? NEC, which does business as CaptureRx, said it became aware of "unusual activity" involving some electronic files. An investigation determined that the relevant files contained the first name, last name, date of birth, and prescription information.
Organization: Eskenazi Health
Date reported: 10/01/2021
Number of individuals affected: 1,515,918
What happened? The Indiana-based health system said cybercriminals had gained access to their network for nearly three months. Eskenazi Health did not make a ransom payment, and the criminals released some of the stolen data on the dark web.
Organization: The Kroger Co.
Date reported: 2/19/2021
Number of individuals affected: 1,474,284
What happened? The Midwest grocery chain was affected by a data security incident affecting Accellion, a file-sharing company. Clinic customer information was found to be at risk, including pharmacy records.
Organization: St. Joseph's/Candler Health System, Inc.
Date reported: 8/10/2021
Number of individuals affected: 1,400,000
What happened? The ransomware incident took the Georgia health system offline for multiple days. The unauthorized party had been able to access the network for six months.
Organization: Premier Diagnostics
Date reported: 1/25/21
Number of individuals affected: 50,000 patients
What happened? Premier Diagnostics Utah COVID-19 testing service exposed thousands of ID scans, including driver’s licenses, medical insurance cards, passports, and other IDs, on the web without a password or any other authentication required to access it.
Organization: Professional Business Systems, Inc.
Date reported: 7/1/2021
Number of individuals affected: 1,210,688
What happened? The practice management company, which does business as Practice First Medical Management Solutions and PBS Medcode Corp., said that hackers attempting to deploy ransomware had copied files from its system containing patient information.
To see more data breaches, check out the HIPAA “wall of shame,” the portal provides information on the number of individuals impacted, the breach submission date, type of breach, and the location of the breached information. Or for information on cloud security-specific data breaches, review Sonrai Security’s Breach Watch.
Now that we’ve reviewed the danger of potentially insufficiently managed systems, what is the best way to keep your customers’ data safe from bad actors? Ensuring sensitive information can’t be accessed outside of the company and even internally through unnecessary permissions– whether that is payments, Personally Identifiable Information (PII), or Protected Health Information (PHI). Join our webinar to learn more about the “5 Archetypes of Data Breaches.”