This year shone a spotlight on cybersecurity, with federal agencies warning in October of an “increased an imminent” cyber threat to hospitals fueled by the COVID-19 pandemic.
But not every security incident was caused by major ransomware attacks, of course. Some costly breaches were caused by much more mundane activities, such as improperly disposed materials or employee snooping.
By law, the U.S. Department of Health and Human Services’ Office of Civil Rights must publish a list of breaches of unsecured protected health information affecting 500 or more individuals. It’s worth noting that not every incident on this list happened in 2020, nor has every incident that took place in 2020 been reported yet.
The list also includes both resolved incidents and those still under investigation. More than 10 million individuals were affected by the breaches in the top 10 list alone.
Ultimately, it’s clear that cybersecurity incidents aren’t going anywhere in the coming year – and they may even get more egregious. Here’s a list of the biggest healthcare breaches reported to OCR in 2020.
Name: Trinity Health
Number of individuals affected: 3,320,726
Trinity’s philanthropy database vendor, Blackbaud, notified the health system in July that it had been the victim of a cyberattack, potentially obtaining access to patient and donor information. In a security notice, Blackbaud said that it had paid the ransom to have the data copy destroyed (a strategy that experts do not generally advise).
Name: Inova Health
Number of individuals affected: 1,045,270
Inova was affected by the same Blackbaud security incident. The Virginia-based system determined that the threat actor may have accessed personal information of patients and donors.
Name: Magellan Health
Number of individuals affected: 1,013,956
In April, the Arizona system discovered it was the victim of a ransomware attack. An investigation revealed that the incident may have affected personal information.
Name: Dental Care Alliance
Number of individuals affected: 1,004,304
The Florida-based support organization, which is affiliated with more than 320 practices in 20 states, reported this fall that it had been the victim of an ongoing attack.
Name: Luxottica of America
Number of individuals affected: 829,454
Luxottica of America, which operates vision care facilities, was targeted by class-action lawsuits following the breach of its online scheduling application.
Name: Northern Light Health
Number of individuals affected: 657,392
The Maine health system was yet another healthcare organization impacted by the Blackbaud ransomware incident.
Name: Health Share of Oregon
Number of individuals affected: 654,362
One of the few incidents on the list not related to hacking, this breach stemmed from the theft of a laptop stolen from Health Share’s non-emergent medical transportation vendor in November 2019. The personal information located on the computer included names, addresses, phone numbers, dates of birth, social security numbers, and Health Share ID numbers, although personal health histories were not exposed.
Name: Florida Orthopaedic Institute
Number of individuals affected: 640,000
In April, the system discovered that a ransomware attack had encrypted data on its servers. After an investigation, FOI determined that personal information may have been accessed during the incident.
Name: Elkhart Emergency Physicians
Number of individuals affected: 550,000
A third-party vendor was discovered to have improperly disposed of some patient files, affecting Elkhart records from 2002 through 2010.
Number of individuals affected: 484,157
Aetna, which contracts with EyeMed to provide vision benefit services for members, said an EyeMed email mailbox was accessed by an unauthorized individual earlier this year.
Taking Stock of Progress and Looking Ahead
This December, we look back at a challenging year – and forward to what we hope is a better, stronger, more connected and resilient healthcare ecosystem.