Healthcare data breaches are one of the most deadly.
The data that healthcare organizations collect is among the most personal and private there is.
Because healthcare organizations contain top-secret information, the regulations surrounding the handling of this data are well developed.
All of this means the stakes are incredibly high in protecting patient data... and failing to do so may result in HEFTY lawsuits and fines.
In this post, I’ll cover:
- The underlying causes of health care data breaches
- Notable past healthcare breaches
- Legal implications for a data breach containing protected health information
- Important preventative measures and best practices for healthcare companies in order to better safeguard patient information
The Underlying Causes of Healthcare Data Breaches
It is common to find that most major health data breaches are multilayered and complex.
As of 2023, over 8 millions records were compromised from healthcare systems.
These underlying attack causes can include outdated software lacking the latest security patches, unencrypted databases and servers, unsecured configurations, storing secrets in code or internal systems, and other cybersecurity gaps that introduce vulnerabilities ripe for exploitation.
Healthcare organizations grappling with limited resources to their IT and cyber security strategies can face the greatest risks of a breach. In turn, their attack surface is expanded and security risks increase.
In addition to the technical causes of a data breach, human error and insufficient security awareness training has also led to many healthcare breaches. This can include employees being targets of phishing attempts and social engineering tactics from cybercriminals, which can hand the data involved directly to threat actors if successfully executed. This is where proper cybersecurity training integrated with developing a culture of security and compliance is critical in healthcare.
The complexity of the US healthcare system and the technology many organizations use can further enable vulnerabilities. There is a vast flow of protected patient data that moves between hospitals, insurers, billing services, laboratories, pharmacies, and more. This can make securing data and patient PHI all the more challenging.
Healthcare IT systems often come with layered databases that mix patient information across platforms in an intricate web format. When not secured properly, this can result in a single breach exposing millions of records containing patient information to cybercriminals. As a result, the industry can face a range of attacks that can derive from ransomware attacks, unauthorized attacks, and even social engineering security incidents driven to leak sensitive data.
List of Past Healthcare Data Breaches
The healthcare industry has faced numerous data breaches reported over the past decade, with private medical information becoming an attractive target for hackers.
This has resulted in some of the largest healthcare companies in the US liable for millions of dollars in legislative fines and penalties due to data breaches.
In addition, many have faced more financial losses due to lawsuits from patients for the exposure of their protected health data.
Let's dive into several of the most notable data breaches in healthcare.
1. Anthem (2015)
National health insurance provider Anthem suffered a data breach in 2015 that exposed the private health information of a portion of its consumers. The breach was determined to be the result of a successful phishing attack that targeted employees. Once the data was accessed hackers were able to steal patient personal information such as names, dates of birth, social security numbers, addresses, and more.
In response to the incident, Anthem offered complimentary credit monitoring to those affected by the breach. The aftermath of the data breach eventually cost the organization 39 million dollars in a class action settlement that resulted from the breach which was settled in 2020. They were also fined 16 million dollars by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
2. Magellan Health (2019)
Managed healthcare company Magellan was hit with a phishing and ransomware attack in 2019. It was uncovered that malicious actors had sent a third party vendor phishing emails asking for sensitive data to gain access to the company's computer system. Once successful, the hackers gained access to the systems and deployed ransomware which encrypted data and held it for ransom.
Hackers successfully exfiltrated the personal health information from approximately 237,000 patients in the attack. This compromised data leaked included names, addresses, dates of birth, personal health information, and various medical information of consumers that use the company for their healthcare needs.
The phishing attack initially occurred in May 2019. However, it was not discovered until July 2019 with notification letters to patients not sent until November 2019. In the aftermath of the breach, the company was required to pay 1.43 million dollars in a class action lawsuit on behalf of the impacted patients whose data was stolen.
3. Texas Tech University Health Sciences Center (2021)
Texas Tech University Health Sciences Center (TTUHSC) reported in 2022 that they had discovered one of their shared network drives was breached in December 2021. The organization stated that over 1.2 million patient records were compromised via its electronic health records vendor, Eye Care Leaders.
The company stated that once the incident was identified, the systems were disabled in order to stop any successful patient data exfiltration. The organization advised consumers via letter that patient protected information such as their name, address, health insurance information, medical record data, and more was exposed in the breach.
4. Humana (2023)
Humana has seen issues in the past with a former employee selling protected health data on the dark web. However, the patient healthcare provider saw another breach occur in 2023.
In the 2023 breach, a third-party vendor of Humana named Prospect Medical discovered an SQL database compromise of theirs with sensitive patient health information tied to Humana. This database was found for sale on a popular illicit hacker forum. The leaked data contained the names, IDs, email addresses, and medical treatment data of over 6,000 patients.
Preventative Security Measures & Best Practices for the Healthcare Sector
Data breaches in the healthcare sector can have significant impacts on patient information and confidentiality. Organizations in healthcare need to remain diligent in their preventative measures and implement security best practices to safeguard sensitive patient information. Here are 4 ways IT and security teams within the industry can better prevent security incidents that can lead to data breaches impacting patients adversely:
1. Deploy regular patches and updates when available
Vulnerabilities to applications and systems are discovered every day. Outdated systems are a prime target for attackers. Whether working with internal operating systems to applications like Confluence, deploying the latest security and systems updates can help ensure security incidents are minimized.
2. Enlist encryption and authentication controls for all web and system applications
Phishing and social engineering attacks are designed to steal user credentials in order to access systems. By implementing strong encryption for patient data, health organizations are able to know where data sits at transfer and at rest.
Additionally, enlisting the support of two factor authentication (2FA) or multi-factor authentication (MFA) can help stop an attack from accessing data if an internal user account is compromised.
3. Understand the risks of a data breach
Within nearly any industry, there is a level of security risk involved with the use of any technology. Cybercriminals use this to their advantage. Therefore, implementing security measures that address those risks can help better prevent them.
These measures can involve conducting risk assessments internally and on third-party vendors, performing regular security system testing, reducing shadow IT or other technical debt, using vulnerability or secret scanning tools, and addressing employee awareness of cybersecurity risks the organization faces.
4. Implementing controls that effectively support incident response and data recovery
For many organizations, including those within the healthcare field, having a defined incident response and recovery initiative. These controls should also address how the data is backed up internally along with the recovery plan in the event of a breach. Regular backups of healthcare data can help minimize the damage of an incident and allow for a quicker response and recovery.
Detect Secrets → Protect PHI with Soteri
Highly regulated industries, such as healthcare, can require more security to better protect patient data successfully. This is where Soteri can support your teams to ensure that secrets are effectively protected from cybercriminals.
Whether you are aiming to prevent secrets being stored in your Jira instance or preventing secrets from being published on Bitbucket, Soteri has developed multiple scanners to detect and even block secrets from being stored in dangerous ways.
Some of the benefits that Soteri has to offer include:
- Identifying sensitive data stored in Bitbucket, Confluence, or Jira before attackers are able to exploit it.
- Protects consumer PII, PHI, financial information, and more from being exposed.
- Support organizations striving to remain HIPAA compliant.
Soteri is dedicated to promoting greater security for the healthcare industry.