Ten Health Organizations Slammed by Cyber Breaches

July 13, 2015

Cybersecurity breaches are hitting the healthcare industry hard. Here are 10 recent victims.

 

 

Last year, the FBI released a private notice to the healthcare industry warning providers that their cybersecurity systems are lax compared to other industries, according to Reuters. The notice reportedly stated, "The healthcare industry is not as resilient to cyber intrusions compared to financial and retail sectors, therefore the possibilities of increased cyber intrusions is likely."

READ: Under Attack: Executives Face Rising Cybersecurity Risks

Considering the recent outbreak of major breaches affecting the industry, it appears that those concerns were warranted. The healthcare industry accounted for 43% of major data breaches reported in 2014, according to the Identity Theft Resource Center. While 2015 data are not yet available, the steady stream of cybersecurity breaches has continued, and many organizations have already reported major breaches. Here are 10 recent victims.    

 

 

 

 

In early 2015, the health insurer announced that hackers broke into a database containing the personal information of nearly 80 million records related to consumers. Hackers stole Social Security numbers, addresses, email addresses, and employment information, according to Anthem. Some IT experts have voiced suspicions that the Chinese-sponsored hacker group Deep Panda was responsible for the security breach, according to USA Today.

READ: Anthem hack exposes up to 80 million records

 

 

 

 

In March, Premera Blue Cross announced that hackers gained access to the financial and medical information of 11 million members. The breach, which may have compromised members’ dates of birth, Social Security numbers, mailing addresses, phone numbers, and bank account information, was discovered in January. The breach affected users of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and Vivacity and Connection Insurance Solutions.

READ: Protections offered as breach of 11 million records is revealed

 

 

 

 

 

The Premera cyberattack also affected thousands of current and former members of LifeWise Health Plan of Oregon. The LifeWise cyberattack, which was discovered in January, affected LifeWise Health Plan of Washington, LifeWise Health Plan of Oregon and LifeWise Assurance Co. It also affected LifeWise Health Plan of Arizona, which no longer does business in that state. Eric Earling, vice president of corporate communications at Premera, told the Portland BusinessJournal that the Premera and LifeWise are affiliated and share a common IT system for claims.

 

 

 

 

 

In May, CareFirst BlueCross BlueShield announced that a cyber attack affected approximately 1.1 million current and former members. The attackers gained "limited, unauthorized access" to a single CareFirst database, according to the health insurer. "We deeply regret the concern this attack may cause," said CareFirst President and chief executive officer Chet Burrell. "We are making sure those affected understand the extent of the attack-and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years."

 

 

 

 

 

In March, the Virginia Department of Medical Assistance Services reported a network server hacking incident that exposed 697,586 plan records. The department administers Medicaid and the State Children’s Health Insurance Program in Virginia.

 

 

 

 

 

In March, the Georgia Department of Community Health reported a network server hacking incident affecting 557,779 individuals. On the same day, it reported another network server hacking incident affecting 335,127 individuals.

The Georgia Department of Community Health provides healthcare programs and services to citizens of Georgia. The department is one of the largest agencies in Georgia state government and it serves as the lead agency for Medicaid and oversees the State Health Benefit Plan.

 

 

 

 

 

In May, Beacon Health System reported an email hacking incident affecting 306,789 individuals.

Beacon Health System is the nonprofit parent organization of Elkhart General Hospital and Memorial Hospital of South Bend, Indiana. The health system operates healthcare facilities in Elkhart, St. Joseph and LaPorte counties in Indiana, and in Michigan.

 

 

 

 

 

The Seton Healthcare Family, a Texas-based healthcare system, recently reported an email hacking incident that affected 39,000 individuals. The healthcare system announced that hackers targeted employee usernames and passwords in an attempt to gain access to personal health information of patients in December, 2014. Seton learned of the breach in February.

The information that may have been compromised included personal health information, demographic information, medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers, according to Seton. The hackers did not gain access to individual medical records or billing records.

 

 

 

 

 

In April, the healthcare system reported that an email hacking incident affected 24,967 patients. Saint Agnes Health Care, a large healthcare system in Maryland, notified patients that their personal information was compromised by attackers who used a phishing email to gain access to an employee's email account.

"We value the privacy and security of patient protected information and we are committed to protecting the confidentiality and privacy of our patients and employees," stated Sharon McNamara, corporate responsibility officer at Saint Agnes Healthcare, Inc. "It is our priority to support those who have been affected."

 

 

 

 

Children's National Medical Center reported in February that 18,000 individuals had been affected by an email hacking incident. The organization announced in March that employee email accounts had been exposed in a way that may have allowed hackers to access private information between July 26, 2014 and December 26, 2014.