Slideshow 10 Top Health Data Hacks

Published
  • February 09 2015, 5:50pm EST

The giant breach at health insurer Anthem (previously WellPoint) potentially affecting up to 80 million insured members and employees, reminds us that the hacking threat to protected health information is persistent and growing. The HHS Office for Civil Rights Web site of large breaches lists more than 90 major incidents of hacking, which have become much more prevalent during the past two years. Here are the 10 largest healthcare hacking incidents to date.

[Image: Fotolia]

Anthem

The insurer announced the cyber attack on Feb. 5. While 80 million may eventually be affected, a forensic investigation continues and for now the company is comfortable saying that tens of millions were involved. USA Today reports that Anthem itself discovered the breach last week after noting suspicious activity; victims often are hacked and then notified by the perpetrators.

The hacking affected all Anthem product lines. Information compromised includes names, birthdates, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information including income data, according to Anthem. No evidence yet shows that credit cards or medical information were breached. The company will offer credit and identity theft protection services.

[Image: iStock]

Content Continues Below


Montana Department of Public Health and Human Services

In June 2014, a computer server at Montana Department of Public Health and Human Services was hacked, affecting 1,062,509 individuals--a number that nearly matches the state’s population. An investigation found the server likely was initially attacked in July 2013. Breached information included patient names, addresses, birth dates and Social Security numbers, and employee names, SSNs and bank account numbers. All were offered a year of credit and identity protection services.

[Image: iStock]

Utah Department of Public Health

The Utah Department of Public Health in April 2012 announced the hacking of a server holding information on 780,000 Medicaid and CHIP recipients. About 280,000 individuals had their Social Security numbers stolen and were offered a year of credit monitoring services. Other breached information included names, birth dates and addresses. The server, holding Medicaid eligibility determination transactions, was in the state’s Department of Technology Services and the leader of the department subsequently lost his job.

[Image: iStock]

Triple-S Management

Triple-S Management, a BCBS plan serving more than 1 million members in Puerto Rico, in 2010 learned that it was hacked by employees of a competitor who downloaded data on more than 475,000 insured individuals into its own information systems. The employees had gone rogue and the competitor itself reported the breach to Triple-S. The hacking employees used active user IDs and passwords specific to Triple-S’ database to access the information. The likely target was financial information related to the government insurance plan rather than individuals’ information.

[Image: iStock]

Content Continues Below


St. Joseph Health System

A server hacked for parts of three days in December 2013 resulted in five-hospital St. Joseph Health System in Bryan, Texas, notifying 408,300 past and present patients, employees and some employee beneficiaries. Originating in China, the attack compromised names, birth dates, Social Security numbers, limited medical details, addresses and bank account information for some employees. A forensics investigation failed to confirm if information was actually accessed. Affected individuals received a year of identity protection services.

[Image: iStock]

Seacoast Radiology

Gamers seeking bandwidth to pay the game Call of Duty: Black Ops accessed a server storing protected information on 231,400 patients at Seacoast Radiology in Rochester, N.H. Information on the server included patients' names, addresses, phone numbers, diagnosis/procedure codes and Social Security numbers. The breach was discovered on Nov. 12, 2010, and patient notification began on Jan. 11. Seacoast Capital at the time was not offering free credit and identity theft protection services, but advised affected patients on steps to protect themselves.

[Image: iStock]

University of Washington Medicine

Malware in an email attachment that a University of Washington Medicine employee opened in October 2013 accessed a subset of billing files for more than 76,183 patients. About 15,000 Social Security numbers were included and those individuals were offered a year of credit monitoring services.

[Image: iStock]

Content Continues Below


Onsite Health Diagnostics

A business associate of Onsite Health Diagnostics in Texas had a network server attacked from January 4, 2014 until April 11, 2014, compromising the protected health information of 60,582 patients.

[Image: iStock]

Los Angeles Gay & Lesbian Center

Between September 17 and November 8, 2013, the Los Angeles Gay & Lesbian Center was attacked to collect credit card and other financial information, along with Social Security numbers of approximately 59,000 present and former clients. Other compromised data may have included names, birth dates, medical information and contact information. The attacks were sophisticated and designed to go after the financial data, the center informed affected individuals, who were offered one year of identity protection services.

[Image: iStock]

SafeRide Services

A network server at SafeRide Services, providing transportation services in Arizona, was hacked in August 2011, causing a breach that affected 42,000 individuals.

[Image: iStock]