We're nearing the end of 2021, so it's an appropriate time to look back at what have been some of the largest data breaches of healthcare organizations during the year. We hope that by highlighting these breaches, we'll help you gain a better appreciation for understanding the importance of cybersecurity and the need to take it seriously year-round. Even with the best policies, procedures, technologies, safeguards, training, and education, breaches can and do still occur.
Lessons can almost always be learned from the experiences of other organizations, regardless of their size. Considering that at least a few of the organizations on this list likely have extensive, comprehensive, enterprise-level security measures and systems in place, it is that much more important for small and mid-sized organizations to make intelligent investments in their technology, support, and cybersecurity infrastructure. It's also advisable for organizations of all sizes to stay informed about the latest trends and developments concerning cybersecurity, including new threats, incidents, changes to rules, and recommended practices.
Without further ado, here are five of the largest data breaches suffered by healthcare organizations thus far in 2021, organized alphabetically by organization name. Note: While a few of the breaches identified occurred in 2020, they were not submitted to the U.S. Department of Health and Human Services until 2021.
CaptureRx — Based in San Antonio, Texas, NEC Networks, dba CaptureRx, helps hospitals manage their 340B drug program. In May, HIPAA Journal reported that the company experienced a ransomware attack in which files containing the protected health information (PHI) of customers' patients were stolen. The publication reported that more than 30 of CaptureRx's clients were affected, which would grow in June when MetroHealth System in Cleveland announced it had experienced a data breach connected to CaptureRx. An investigation found that certain files were accessed in February, with compromised files containing patient information that included names, birthdates, and prescription details.
WOIO in Cleveland reported that the cause of the security incident was identified as a "vulnerability with the build serve hosted by a third party which was then taken advantage of," thus allowing the cybercriminal to gain credentials and access the server.
In total, CaptureRx reported that there were nearly 1.7 million (1,656,569) known individuals affected.
Florida Healthy Kids Corp. — Florida Healthy Kids is a Tallahassee, Fla.-based Medicaid health plan. Health News Florida reported in January that the organization had issued a statement indicating it was notified in December 2020 that Florida KidCare applicants were inappropriately accessed and tampered with. Florida KidCare, the publication reported, is an umbrella name that incorporates four programs that provide health coverage for children from birth to age 18.
HIPAA Journal provided more details on the incident, noting that Florida Healthy Kids had "discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past seven years." The types of information exposed to the cybercriminals included full names, birth dates, email addresses, telephone numbers, physical and mailing addresses, Social Security numbers, financial information, family relationships of individuals included in the application, and secondary insurance information.
Cybersecurity experts conducted an investigation to determine the scope and severity of the breach. A review of the hosted website platform and the databases supporting the Florida KidCare application revealed vulnerabilities present for seven years, from November 2013 to December 2020. Florida Healthy Kids reported that the breach affected 3.5 million individuals, which would make it one of the largest healthcare data breaches of all time.
Forefront Dermatology — Forefront Dermatology is a dermatology practice comprised of about 200 dermatologists practicing across more than 20 states. The organization stated that it identified an intrusion into its IT network by unauthorized parties in June — an intrusion, an investigation would reveal, that resulted in unauthorized access to certain files containing PHI between May 28 and June 5. This information may have included patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information. The total number of affected individuals surpassed 2.4 million (2,413,553).
In response to the incident, the organization stated, "To help prevent something like this from happening again, Forefront Dermatology is enhancing its security protocols."
St. Joseph's/Candler (SJ/C) — This hospital system in Savannah, Ga., announced that in June, it detected suspicious activity in its IT network. An investigation supported by a cybersecurity firm determined that an unauthorized party had gained access to the system's IT network between Dec. 18, 2020, and the date of detection. While in the IT network, the cybercriminal launched a ransomware attack that made files on SJ/C's systems inaccessible.
Furthermore, the investigation found that the cybercriminal may have accessed files containing patient information, which could have included patient names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information regarding care received from the health system.
The health system reported that 1.4 million individuals were affected. SJ/C stated that it established a dedicated call center to answer questions about the incident and offered notified individuals complimentary credit monitoring and identity protection services.
20/20 Eye Care Network — Based in Fort Lauderdale, Fla, 20/20 Eye Care Network is a vision and hearing benefits administrator. In January, the organization was alerted to suspicious activity in its Amazon Web Services (AWS) environment. Following an investigation, it was determined that data was potentially removed from the S3 buckets hosted in AWS and all the data in these buckets was subsequently deleted.
The investigation determined that the data could have included information about some or all health plan members for whom it had records. The total number of individuals affected surpassed 3.25 million (3,253,822). The information that could have been subject to unauthorized access included name, address, Social Security number, member identification number, date of birth, and health insurance information.
A report on the data breach noted that affected individuals were offered 12 months of credit monitoring, identity restoration services, and fraud consultation through TransUnion.
Strengthening Your Cybersecurity Defenses
Hopefully, this post doesn't have you panicking about the potential that your organization may experience a breach. Rather, we hope that you'll be motivated to take a closer look at your organization's security posture and consider undergoing a security risk assessment if you haven't had one in a while. An assessment is an easy and effective way to identify potential cybersecurity vulnerabilities and get expert guidance on remediating those issues that are identified. To help you gain a better understanding of what to expect from a security risk assessment, download this helpful checklist.