The 10 largest healthcare data breaches HDM covered in 2017
Providers continued to struggle with attacks on data security in 2017. The ransomware epidemic only increased the challenges for providers, insurers and HIT vendors. Health Data Management covers breaches of protected health information during the course of reporting news in the industry; here are the 10 largest breaches that HDM covered, affecting nearly 1.9 million individuals.
Airway Oxygen: 500,000 affected individuals
The mid-Michigan vendor suffered a ransomware attack in April that apparently came from an off-shore location. The company was unusually candid in its explanation of the breach to affected individuals. The notification letter included an expansive Q&A covering who was responsible for the breach, how it was discovered, how long hackers were in the system and if the hack could have been prevented. However, the company acknowledged it would not comment on whether ransom was paid.
Urology Austin: 279,663 affected individuals
Hackers in January unleased a ransomware attack on Urology Austin, a specialty provider operating 13 sites in the Round Rock and Austin metropolitan areas of Texas. While the attack was thwarted and the organization regained access to its systems, it could not be determined whether patient information was accessed by the hackers. Urology Austin offered those affected a year of credit and identity protection services and said no ransom was paid.
Pacific Alliance Medical Center: 266,123 affected individuals
The Los Angeles provider in June had a ransomware attack that encrypted some network servers, but with assistance from a third-party vendor, it was able to restore the network to full operation. Patients received two years of credit monitoring and identity protection.
Peachtree Neurological Clinic: 176,295 affected individuals
In July, Atlanta-based Peachtree learned that it had been hacked, and an investigation found the attack originated about a year earlier. Ransomware encrypted the electronic health records system, but the organization did not pay a ransom and was able to restore systems through backup records, according to its notification letter. Because the attack was a year old, the company acknowledged it was possible that data could have been accessed. Patients were offered identity theft protection.
Med Center Health: 160,000 affected individuals
Six-hospital Med Center Health in March started notifying patients after an employee stole billing information to assist in an unapproved project to develop a new tool for an outside business interest. The breach was in effect for years, as the employee in August 2014 and February 2015 obtained patient information on an encrypted CD and encrypted USB drive without any work-related reason. The breach affected individuals treated at six facilities between 2011 and 2014. A year of credit and identity theft protection was given to affected persons.
Arkansas Oral & Facial Surgery Center: 128,000 affected individuals
The organization, serving patients in Springdale, Fayetteville and Harrison, in July learned it was victimized by a ransomware attack either the previous night or that morning. The hackers’ motivation appeared to be extortion and not the theft of patient data. However, the virus affected image files, documents and all electronic patient data during the previous three weeks, rendering them inaccessible. Affected persons were offered one year of credit and ID protection.
McLaren Medical Group in Lansing, Mich.: 106,008 affected individuals
In August, the large practice with 450 physicians notified current and former patients after learning it had been hacked in March. The practice said the five-month delay in patient notification was necessitated by an extensive investigation into the breach. The investigation found that only seven patient records were definitively confirmed to have been accessed, but researchers could not confirm whether any other records had been accessed.
Harrisburg Gastroenterology in Pennsylvania: 93,323 affected individuals
In March following suspicious activity, the practice discovered an attacker may have accessed protected health information and potentially could have compromised demographics, clinical data and other information.
Washington University School of Medicine in St. Louis: 80,270 affected individuals
In January, the school learned that some employees clicked on an email link that was part of a phishing attack. The investigation could not rule out that an attacker may have gained access to some email accounts. The school told affected individuals that it had no indication that information in the email was misused. The notification letter to patients made no mention of the offering of protective services.
Emory Healthcare: 80,000 affected individuals
A hacker in January demanded a ransom from Emory Healthcare after accessing and deleting the appointments information systems of the Orthopaedics and Spine Center, as well as the Brain Health Center within Emory Clinic. The organization did not say whether it paid a ransom to gain release of the affected information. In a statement, Emory did not mention the provision of identity protection, but the statement emphasized that there was no indication patient information had been inappropriately used.