Amidst warnings from the U.S. Federal Bureau of Investigation about hacking groups and news from the Department of Justice about ransomware-related arrests, an adage has begun to be repeated among cybersecurity professionals: It’s not “if” an attack will happen, but “when.”
To add insult to injury, some hospitals even face legal action after restoring access to their network. Overall, 40,099,751 individuals’ records have been affected by exposures reported to the federal government so far this year.
For anyone who needs a refresher on how things have gone, Healthcare IT News has compiled a list of the 10 largest data breaches reported to the U.S. Department of Health and Human Services’ Office of Civil Rights this year so far:
Organization: Florida Healthy Kids Corporation
Date reported: 1/29/2021
Number of individuals affected: 3,500,000
What happened? An analysis found that “significant vulnerabilities” had been present on the children’s health insurance program website since 2013 – potentially leading to the exposure of personal information such as Social Security numbers, dates of birth, names, addresses and financial information.
Organization: 20/20 Eye Care Network, Inc.
Date reported: 5/24/2021
Number of individuals affected: 3,253,822
What happened? The eye care network 20/20, which provides eye and ear care services and administration, discovered suspicious activity in its Amazon Web Services environment. After an investigation, it determined that data had been potentially removed, possibly including personal information. Later 20/20 faced a lawsuit over the breach.
Organization: Forefront Dermatology
Date reported: 7/8/2021
Number of individuals affected: 2,413,553
What happened? The Wisconsin-based organization, which has locations in 21 states and the District of Columbia, reported that an intrusion resulted in unauthorized access to certain files on Forefront’s IT system containing patient and employee information.
Organization: NEC Networks, LLC
Date reported: 5/5/2021
Number of individuals affected: 1,656,569
What happened? NEC, which does business as CaptureRx, said it became aware of “unusual activity” involving some electronic files. An investigation determined that the relevant files contained first name, last name, date of birth and prescription information.
Organization: Eskenazi Health
Date reported: 10/01/2021
Number of individuals affected: 1,515,918
What happened? The Indiana-based health system said cybercriminals had gained access to their network for nearly three months. Eskenazi Health did not make a ransom payment, and the criminals released some of the stolen data on the dark web.
Organization: The Kroger Co.
Date reported: 2/19/2021
Number of individuals affected: 1,474,284
What happened? The Midwest grocery chain was affected by a data security incident affecting Accellion, a file-sharing company. Clinic customer information was found to be at risk, including pharmacy records.
Organization: St. Joseph’s/Candler Health System, Inc.
Date reported: 8/10/2021
Number of individuals affected: 1,400,000
What happened? The ransomware incident took the Georgia health system offline for multiple days. The unauthorized party had been able to access the network for six months.
Organization: University Medical Center Southern Nevada
Date reported: 8/13/2021
Number of individuals affected: 1,300,000
What happened? Although the incident only lasted a day, the attack – linked to the notorious REvil ransomware gang – compromised files containing protected health information and personally identifiable information. Just after the attack the group posted photos of driver’s licenses, passports and Social Security cards of a handful of alleged victims.
Organization: American Anesthesiology, Inc.
Date reported: 1/8/2021
Number of individuals affected: 1,269,074
What happened? An unauthorized party was able to gain access to the email system of the company’s business associate, MEDNAX, via phishing. Those email accounts contained the personal information of American Anesthesiology’s clients, although the hackers appeared to be mostly focused on payroll fraud.
Organization: Professional Business Systems, Inc.
Date reported: 7/1/2021
Number of individuals affected: 1,210,688
What happened? The practice management company, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp., said that hackers attempting to deploy ransomware had copied files from its system containing patient information.
Unfortunately, there’s still a month and change left in 2021, which means we’ll likely see even more incidents before the end of the year – particularly given the increased threat the holidays may pose.
2021 Year in Review
Now at the tail end of 2021, we look back at how digital health has become a staple of the medical system.