NetworkTigers lists the worst medical data breaches in recent history.
The top 10 worst reported medical data breaches in 2021 compromised the protected health data of nearly 20 million patients. Even more concerning is that vendors caused 60% of the violations reported. This should serve as a wake-up call for the healthcare industry to review vendor contracts and evaluate their security processes.
Healthcare organizations are well advised to review supply chain guidance from NIST for insights into best practices for an effective vendor management process. Check out the top 10 healthcare facilities that reported the worst healthcare data breaches:
Accellion – 3.5 million records
In February 2021, CISA asked all private sector entities to stay alert as cybercriminals had exploited Accellion’s File Transfer Appliance (FTA) several unpatched vulnerabilities and stolen sensitive information of more than 100 companies, including 11 U.S. healthcare facilities.
The criminals gained access through known zero-day vulnerabilities in Acellion’s legacy FTA and installed a web shell. They used Accellion FTAs to transfer large files they could not send via email.
The attack used no ransomware, but confidential information was stolen and leaked on the Clop ransomware gang’s website. Ransom demands were issued.
The Accellion FTA attack did not appear as a single hack incident on the Civil Rights breach portal because the affected healthcare facilities reported the breach separately. Hackers stole the protected health data of at least 3.5 million patients.
Florida Healthy Kids Corporation (FHKC) – 3.5 million records
Florida Healthy Kids Corporation notified 3.5 million enrollees and online applicants of a 7-year data breach caused by the failure of a security vendor to patch several website vulnerabilities.
The vendor notified FHKC that hackers had accessed thousands of applicants’ highly sensitive data, such as financial information and Social Security numbers. Some of the information had been tampered with.
A review of the breach revealed that the website and subsequent databases held security flaws beginning in November 2013 that enabled the successful hack.
20/20 Eye Care Network – 3.3 million records
20/20 Eye Care Network exposed the protected health data of 3.3 million patients due to a misconfigured Amazon Web Services cloud storage bucket. An unauthorized individual accessed the network and downloaded confidential data. The criminal then deleted the information in the bucket.
The vendor was alerted to suspicious activity within its cloud storage environment and conducted an investigation. The response team could not determine what information the criminal accessed or deleted from the network.
The impact on individuals varied but included violation of privacy relating to health insurance information, dates of birth, names, member identification numbers, and SSNs.
CaptureRx – 2.4 million patients
A ransomware attack on CaptureRx compromised the information of several healthcare organizations. It is not clear when the cyber threat was first de. Still, the investigation revealed that hackers accessed and exfiltrated files containing the protected health data of its healthcare provider clients.
An analysis of the impacted data discovered the stolen information included patient prescription details, dates of birth, and names.
Forefront Dermatology – 2.4 million records
Forefront Dermatology discovered that a cyber attacker had accessed its network and viewed and downloaded sensitive patient and employee data, including Social Security numbers and names.
The investigation found that the personal and protected health data of 4,430 patients had been tampered with, but the systems accessed by the hackers contained the records of 2.4 million individuals, all of whom were affected.
Eskenazi Health – 1.5 million records
This Indian-based healthcare provider suffered a ransomware attack conducted by the Vice ransomware group. Before encrypting files, the criminals exfiltrated files containing the protected health data of 1.5 million patients.
The information included pharmacy records, passport numbers, financial data, social security numbers, photographs, and driver’s license numbers. The information was leaked on the gang’s data leak website when the ransom remained unpaid.
The Kroger Company – 1.5 million records
This pharmacy operator was one of the companies affected by the exploited vulnerabilities in its Accellion File Transfer Appliance (FTA).
The company said that the internal investigation revealed that 1.5 million clients were affected. Insurance claim information, medical history information, contact information, prescription information, names, and Social security numbers were stolen in the attack.
St. Joseph Candler Health System – 1.4 million records
St. Joseph Candler Health System was another healthcare ransomware attack victim. The attack happened in June 2021, but cybercriminals first hacked its network 6 months previously.
Duringsixthose 6 months, the attackers had access to the confidential information of 1.4 million patients, including financial information, medical information, health insurance information, driver’s license numbers, dates of birth, names, and Social Security numbers.
University Medical Center Southern Nevada – 1.3 million records
This healthcare facility suffered a ransomware attack by the REvil ransomware group. The attackers demanded a ransom of $12 million to prevent any misuse of stolen information and for the keys to unlock the encrypted files.
The group stole the protected health data of 1.3 million pa. Some of that data was posted on the group’s data leak website, including Social Security numbers, health histories, dates of birth, passports, and names.
American Anesthesiology, Inc. – 1.3 million records
This health organization was impacted by a phishing attack on MEDNAX, one of its business associates. Employees replied to the phishing emails and revealed their credentials, which provided the ha with access to email addresses containing the protected health data of 1.3 million patients.
The attack was not conducted to steal patient information; the criminals diverted payroll to their accounts.
Prevention is the best approach to keeping patients’ information from being leaked in data breaches. To avoid future attacks, analyze your current cybersecurity strategy. If gaps exist, strengthen your strategy by regularly patching your hardware and systems to prevent vulnerabilities.