The healthcare sector has been the target of hundreds of cyber attacks this year. A tally of public reports of data breaches so far shows that tens of millions of health records have been exposed to unauthorized parties.
Most of the biggest data breaches result from ransomware attacks, and the top ten account for more than half of all health records exposed in 2021.
PII millions stolen or exposed
The breach notification rule under the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to disclose a breach if it affects more than 500 residents of a state or jurisdiction.
The top ten most impactful cyber events listed on the US Department of Health and Human Services (HHS) Office of Civil Rights portal originate from hacking incidents and explain the data exposure of nearly 19 million people.
At the top of the list reported this year is an incident that impacted Florida Healthy Kids Corporation. Hackers exploiting vulnerabilities are gone without patch for seven years in its website hosting platform had access to the data of 3.5 million people.
The second largest healthcare data breach impacted the 20/20 Eye Care Network in Florida, which resulted in the exposure of personal data of over 3.2 million people.
The attackers gained access to the company’s AWS S3 buckets and deleted the information. A a class action has been filed against 20/20 Eye Care Network.
Another notable data breach comes from the dermatology group’s practice Leading dermatology, Who find that an unauthorized person has had access to their systems for a week.
The intrusion revealed information on more than 2.41 million patients, including names, addresses, dates of birth, health insurance plan member IDs and details of medical and clinical treatments.
Ransomware gang attack
February 19, 2021, NEC Networks (CaptureRx) discovered that its systems had been compromised two weeks earlier and that intruders had access to customer files.
The investigation then determined that it was a ransomware attack that affected the data belonging to 1.65 million people.
The data of more than 1.5 million people was compromised in an August 4 attack on Eskenazi Health public hospital division.
The hackers had been on the internal network since May 19, preparing to encrypt the network, although they failed to complete the operation, the the company said.
Although the threat actor did not encrypt any data, he did manage to steal personal and health information belonging to patients from the organization.
The Kroger company confirmed a data breach that exposed the records of 1.47 million people. The incident was part of an extortion campaign by the Clop ransomware gang.
Access to company data was made possible by exploit Accellion vulnerabilities legacy File Transfer Appliance service used by up to 100 companies.
Supermarket chain Kroger, also a pharmacy operator, has agreed to pay $ 5 million to end claims against it on behalf of customers and employees whose personal information has been exposed.
Also the victim of a ransomware attack, the Saint-Joseph / Candler the health system announced that it had detected the intrusion on June 17, 2021. the investigation revealed that hackers had access to the network since December 18, 2020.
While on the network, attackers gained access to the data of 1.4 million patients, including addresses, dates of birth, social security numbers, driver’s license numbers, financial information. , the identifier of the member of the health insurance scheme and information on medical and clinical treatments.
The REvil ransomware gang violated the systems of the Southern Nevada University Medical Center in mid-June which stored the data of 1.3 million people.
The data included Personally Identifiable Information (PII) as well as “certain protected health information,” data security incident reveals notification organisation.
American anesthesiology notified patients in early January 2021 that Mednax Services, one of its service providers, was the victim of a phishing incident that resulted in the exposure of personal information to an unauthorized party
The attacker had had access to the partner’s Microsoft Office 365 messaging system in mid-June 2020 and could access personal information belonging to American anesthesiology patients. In total, the data of 1.2 million people were exposed.
Last on the list of the top ten data breaches reported so far in 2021 is Professional Business Systems, Inc., d / b / a Train first Medical Management Solutions and PBS Medcode Corp., (“Practicefirst”) – a provider for multiple healthcare providers.
The incident was a failed ransomware attack and became known at the end of December 2020. The hackers did not encrypt any data but they did files copied from Practicefirst network, exposing the personal information of more than 1.2 million patients and employees.
More than 50 hacking incidents disclosed on the HHS portal have affected more than 100,000 people, showing that healthcare organizations remain attractive targets.
According to HIPAA Journal, nearly 45 million health records were exposed or stolen in breaches reported in 2021.