Slideshow 10 hacks providers should be aware of

  • May 23 2016, 9:04pm EDT
11 Images Total

10 hacks providers should be aware of

Health Data Management has tracked 10 significant incidents of hacking announced so far in 2016. Some attacks were initially discovered in late 2015, but were publicly reported in the early months of 2016 after investigations were over and law enforcement officials gave the organizations permission to announce the incidents. Clearly, cyber attacks continue to be an every-day threat for healthcare organizations.

Hollywood Presbyterian Medical Center

The Los Angeles-based organization was victimized in February by a ransomware attack that affected its ability to access patient information. The facility had to revert to using paper records. After about 10 days without electronic systems, it paid a $17,000 ransom in Bitcoin to regain control of its data.

Content Continues Below

MedStar Health

10-hospital MedStar Health, serving the Baltimore-Washington region, was attacked in late March but said that, with few exceptions, “all of our doors remain open.” The organization was operating on backup data and paper documentation. It did not confirm that ransomware was the cause of the incident, but reports in local media suggested it as a potential cause.

Methodist Hospital

Methodist Hospital in Henderson, Ky., was hit by a cyber attack in mid-March, and the organization needed about a week to resolve most major issues. The hospital used unaffected backup data to restore functions and said no patient information was compromised.

The Ottawa Hospital

Executives in March announced that the organization weathered a ransomware attack; it used backup files to circumvent demands for payment. The Canadian hospital said four of its 9,800 computers were affected by hackers, who tried to lock files and extract payment.

Content Continues Below

21st Century Oncology

The chain of 145 cancer treatment centers in the U.S. and 36 more in Latin America learned from the FBI in mid-November that it had been attacked as early as October 3, 2015. The incident put information of 2.2 million individuals at risk, and the company offered one year of identity theft protection.

Bay Area Children’s Association

The organization’s EHR vendor in April 2016 disclosed it was hacked, and malware may have been on their system since January 2015. The healthcare organization could not confirm whether hackers accessed protected health information; the organization offered patients and their parents identity protection services.


Physician software vendor Bizmatics announced in April that its Prognosis EHR data servers were hacked. The organization didn’t know the full extent of the breach and whether protected information was actually accessed. But one of its clients—Pain Treatment Centers of America—notified 19,000 patients. Bizmatics learned of the attack in late 2015 and believes it started in early 2015.

Content Continues Below

Kentucky Workers’ Compensation Fund

The fund announced in April it had been hacked but didn’t know it for a while as an employee minimized the black ransmonware screen and continued her work. Having employed best practices for backing up data, the fund escaped almost unscathed.

American Dental Association

In April, ADA sent out 37,000 USB thumb drives containing updated procedure codes to members. Of those a “small” but not yet confirmed percentage of drives were infected with malware.

Wyoming Medical Center

A phishing attack during April at Wyoming Medical Center resulted in employees disclosing network credentials, believing they were helping to resolve an urgent problem. The unauthorized party had access to protected data for about 15 minutes, but facility executives believe data were not accessed by hackers because of the prompt response. Information that could have been accessed did not include patient addresses, Social Security numbers and insurance information. Consequently, the hospital did not offer protective services but encouraged affected individuals to have a fraud alert placed on their credit files.