Shockingly, 93% of Healthcare Organizations in the US Have Faced a Data Breach: Biggest Breaches of 2019

Whether you visited an emergency room, had to stay at the hospital for a few days, or just had your yearly checkup in 2019, there is a good chance that you became a victim of a healthcare data breach without even knowing about it. A shocking statistic recently revealed that 93% of all healthcare organizations in the US had faced at least 1 data breach in the last 5 years. Unfortunately, many of these organizations had to deal with multiple breaches, which, of course, put patients in more danger. The reality is that it is impossible to stop such breaches completely at this point because hospitals, clinics, debt collectors, and similar organizations are still quite behind when it comes to virtual security; however, there is hope that we will see fewer breaches in the next decade. For now, all we can do is look at the biggest healthcare data breaches of 2019 and, hopefully, learn something from them.

The American Medical Collection Agency suffered an 8-month-long data breach

In many cases, data breaches are quick, and cybercriminals often take the information they are after and disappear. However, in some cases, cybercriminals are able to set up camp in the breached systems, and then continue tapping into the precious private data of innocent people for as long as possible. That is what happened when cyber attackers successfully breached the American Medical Collection Agency. The AMCA was hit in August of 2018, and the breach was effective for months until it was discovered in March of 2019. The company is responsible for handling millions of patients’ records as it collects medical bills and debt. In June, the company was forced to file for bankruptcy after it was hit with multiple lawsuits following the breach. Unfortunately, 25 millions of patients associated with BioReference, Carecentrix, Clinical Pathology, LabCorp, Quest, and other healthcare institutions ended up having their personal data sold on underground forums. As it turns out, this is the aftermath of most healthcare data breaches of 2019.

Dental insurer Dominion National reported a 9-year-long data breach in 2019

The AMCA data breach might be the biggest of all healthcare data breaches of 2019, but when we look at the timeline of a data breach, it has nothing on the Dominion National data breach. According to a report by healthitsecurity.com, 2.96 million patients’ data was put at risk. This is a huge number, but the most shocking part about the incident is that, allegedly, the company’s servers were exposed for 9 years before the breach was discovered. In April of 2019, it was clear that personal information was leaked, and due to that, two years of credit and fraud protection services were offered for free. Needless to say, we do not hear often about recent data breaches that date back to 2010. Basically, this breach spanned throughout the entire decade, and that is an impressive feat for cybercriminals. At the same time, one must wonder how much the company invested in the protection of patients’ data if sensitive information was left exposed for such a long time.

Inmediata Health crossed the 1 million breached records mark too

As you can see, we are listing the worst healthcare data breaches of 2019 by the number of records that were breached according to reports. It was reported in May that the Inmediata Health data breach affected 1.56 million patients after some medical and personal information about them was left exposed, and that is the last breach to hit the 1 million mark in 2019. Cyber attackers were able to get their hands on patients’ information due to the configuration error within a website set up by the company. This error permitted search engines to index pages used by Inmediata and gain access to patients’ full names, addresses, birth dates, and similar private information. That being said, at the time of the report, it was unknown whether or not anyone had copied the exposed data. Unfortunately, that is not all. Once the company discovered the incident in January of 2019, the compromised website was taken down, and then the affected patients started receiving letters informing them of a potential data breach. Shockingly, patients reported that they were receiving letters addressed to other patients, which further compromised their privacy.

HIPAA analysts revealed some shocking statistics

HIPAA, or the Health Insurance Portability and Accountability Act, was set up in 1996, and it is enforced by the US Department of Health and Human Services (HHS). The analysts at hipaajournal.com continue to inform patients in the US about the privacy issues that emerge, and while we are still waiting for the December report, the November data breach report reveals quite a few interesting details. According to it, October of 2019 was the worst month for healthcare data breaches on record. Furthermore, 600,877 healthcare records were exposed, disclosed, or stolen in November. Also, it is now clear that 2019 will not be the worst year for healthcare breaches in the last 5 years. In 2015, a shocking number of 114,306,776 records were breached. From January till November of 2019, 38,978,154 records were breached. This might look like a significant decrease, but when we look at the number of breached records in 2016, 2017, and 2018, we can see that we will have 2.3, 7.7, and 3.2 (respectively) times more breached records in 2019.

In November of 2019, we saw data breaches hitting Ivy Rehab Network, Solara Medical Supplies, Saint Francis Medical Center, Southeastern Minnesota Oral & Maxillofacial Surgery, Elizabeth Family Health, The Brooklyn Hospital Center, Utah Valley Eye Center, Loudoun Medical Group Comprehensive Sleep Care Center, Choice Cancer Care, and Arizona Dental Insurance Services. According to HIPAA, most breaches occurred due to hacking incidents, fewer were enabled by unauthorized access, and others were facilitated by theft. In most cases, data breaches were initiated using phishing emails. Others were performed with the help of stolen devices, ransomware, theft performed by employees, mailing errors, and office break-ins.

Should we stop trusting healthcare providers?

From a virtual security standpoint, it might be safer to find an unlicensed “doctor,” who might perform checkups without collecting any personal information. However, if you care about your health, trusting unlicensed people practicing medicine is the worst thing you could do. Ultimately, even though healthcare organizations in the US – and everywhere else in the world, for that matter – are often hit by malware and data breaches, that does not necessarily mean that your personal information is about to be exposed, stolen, and sold. First of all, not all data breaches enable access to private patients’ information. Second, not all information leaks can harm you personally. That being said, healthcare data breaches can be serious too, and cybercriminals can use private patients’ information to fabricate drug prescriptions or pay for their own medical bills. This could affect the victims’ insurance rates and even send them into debt.

You can continue reading here to learn how to protect medical information. The bottom line is that you need to be proactive about your own virtual security, and the first thing you need to do is find out how the healthcare organization you are working with is equipped to protect you. If you do not trust your healthcare provider, it might be time for you to find someone who will provide you with better services. That being said, the responsibility of your own security does not fall onto the shoulders of a healthcare provider alone. You too need to be cautious too. For example, if you disclose private medical information online, someone could try to blackmail you. Some providers require patients to create online profiles, and if you use weak passwords to log in, the next data breach might be on you. If you have no idea how to create and manage strong passwords, check out this article. Hopefully, we will see a decrease in private information breaches in the future, but, for now, all we can do is try our best.

January 14, 2020

Leave a Reply