Cybersecurity in Healthcare 2020: 5 of the Biggest Breaches

Nelson Gomes

By Nelson Gomes

Cybersecurity in Healthcare 2020

In today's increasingly digital world, focusing on cybersecurity for healthcare is non-negotiable thanks to the vast amounts of electronic patient information that organizations such as physician practices, ambulatory surgery centers (ASCs), and community health centers must collect, process, and store. Healthcare security challenges have also multiplied in recent years as organizations have grown more reliant on myriad specialized information systems, including EHR platforms, e-prescribing software, and practice management support systems. This can make enforcing information security even more complex.

Meanwhile, the rise of medical IoT devices (e.g., remote patient monitoring devices, sleep monitors, medication refill reminders) and other smart equipment (e.g., HVAC, infusion pumps) further increases the attack surface through which cybercriminals can infiltrate a healthcare organization's network. Couple all these challenges with the cybersecurity risks brought on by the COVID-19 pandemic and it's no wonder that cybersecurity in healthcare in 2020 proved especially difficult.

Healthcare Cybersecurity Statistics 2020

How much of a challenge was healthcare cybersecurity last year? The statistics tell the story. Consider that in 2020, the healthcare industry experienced a 51% increase in the total volume of records exposed compared with 2019. Healthcare cyberattacks were responsible for 24.1 million of those breaches. An average of 1.76 data breaches of 500 or more healthcare records were reported each day in 2020 — double what was reported just two years earlier. The average cost per healthcare record breached rose to about $500, costing healthcare organizations around $13.2 billion. Finally, healthcare data breaches were the most expensive by industry in 2020. The average breach cost $9.2 million — an increase of $2 million from 2019.

Unfortunately, 2021 is not shaping up to be much better. In fact, it may prove to be an even worse year for cybercriminal activity. The U.S. Department of Health and Human Services Breach Portal documented more than 300 new data breaches affecting at least 500 pieces of protected health information (PHI) in the first half of the year alone. Ransomware attacks are on the rise, and every day, nearly half a million new pieces of malware and potentially unwanted applications are detected daily — a figure that's also increasing.

Top Breaches of Cybersecurity in Healthcare in 2020

Cybercriminals are constantly devising new ways to infiltrate systems and steal sensitive, valuable information. Whenever they are successful in these efforts, we are presented with an opportunity for lessons to be learned from what occurred.

Cybercriminals are constantly devising new ways to infiltrate systems and steal sensitive, valuable information. Whenever they are successful in these efforts, we are presented with an opportunity for lessons to be learned from what occurred.

That's why at Medicus IT, we are constantly reviewing reports about healthcare-related breaches. With this information, we identify opportunities to further strengthen our cybersecurity solutions and services, allowing us to better protect sensitive client data and critical systems.

We also share this information with our clients and healthcare community. This education helps them gain a better understanding of current cyberthreats and challenges, what they should be watching for that could indicate a potential threat, and what they should be doing to better protect their organization and data.

Let's look at five of the top healthcare data breaches in 2020.

1. Blackbaud Ransomware Attack Impacted More Than 10 Million Patients

Malware infected the cloud computing vendor's self-hosted environment in May 2020. Although Blackbaud caught the breach in time to stop the cybercriminals from encrypting the entire network, a subset of data was compromised.

More than two dozen healthcare entities/providers were affected. The attackers stole personal patient information, including names, contact details, and social security numbers. As of November 2020, the number of affected patients had surpassed 11 million.

2. Luxottica of America Breach Affected Nearly 830,000 Patients

The eyecare conglomerate suffered two security incidents in 2020. After a ransomware attack earlier in the year, unauthorized personnel broke into the company's web-based appointment scheduling application in August. The breach lasted four days before it was detected.

The cybercriminals gained access to vast amounts of sensitive patient data, such as appointment notes, health insurance policy numbers, health conditions, social security numbers, and credit card information.

Over the next several months, the attackers continued to leak business-critical data they stole from Luxottica, including banking information and other sensitive content. The criminals aren't only monetizing the exfiltrated data — they are also trying to scare future victims into paying the ransom.

3. DCA Alliance Attack Compromised 1 Million Patient Records

Cybercriminals breached the system of Dental Care Alliance (DCA), a third-party practice support vendor for more than 320 dental practices across 20 states, during a month-long attack.

The incident compromised the PHI (e.g., patient names, contact details, account numbers, bank account information, health insurance data) and payment card details of around 1 million patients.

4. Health Share of Oregon Laptop Theft Impacted 654,000 Patients

The PHI of 654,000 patients was leaked when a laptop was stolen from a vendor of Oregon’s largest Medicaid coordinated care organization. The stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers.

The incident further highlighted that physical security controls (e.g., hardware and endpoint security) and vendor management must be an essential part of any healthcare cybersecurity strategy.

The breach also showed the impact that just one stolen device can have on a healthcare organization. It's critical for organizations to undergo regular HIPAA cyber security risk assessments to help identify risks and vulnerabilities that can put PHI and other sensitive data at risk.

5. Attack on AspenPointe Compromised Data of Nearly 300,000 Patients

A cyberattack on the behavioral and mental health provider's IT infrastructure compromised the data of about 296,000 patients in September 2020. The incident forced AspenPointe to close most of its operations for several days.

The attackers exfiltrated patient data from the provider's network. The information stolen included social security numbers, dates of birth, driver’s license numbers, and bank account information.

Cybersecurity in Healthcare 2020: Lessons Learned

Cybercriminals have developed — and continue to develop — a wide array of methods to attack a healthcare organization's network and compromise patient information. These include phishing, malware and ransomware attacks, exploitation of vulnerabilities, and more that have not yet been anticipated or identified.

Not only that, but as we noted earlier, the number of ransomware attacks is increasing. They are responsible for some of the most damaging healthcare data breaches, which can paralyze systems for weeks and impact patient services.

The need for stronger healthcare cybersecurity is dire. Employee training and education, which are critical facets of HIPAA compliance, can help lower the risk of ransomware attacks. In the event of an attack, a comprehensive backup and recovery plan can help minimize costly downtime.

However, these are just a few of the components of a proactive cybersecurity strategy. Consider that unauthorized access incidents accounted for about 22 of cybersecurity incidents in 2020. These incidents may have been caused by malicious insiders accessing patient records, accidental disclosure of PHI to unauthorized personnel, and human errors that exposed patient information. Strategies such as encryption and security monitoring can help protect sensitive data from unauthorized access while security awareness phishing campaigns can provide the training staff need to reduce the likelihood that they will fall victim to a phishing attempt.

Strengthen Your Defense with Managed Security

It’s clear that cybersecurity for healthcare involves many moving parts, including endpoint protection, automated breach detection, data encryption, dark web monitoring, penetration testing, SIEM (security information and event management), and threat remediation.

Unfortunately, many healthcare organizations lack the budget and resources to implement all the specialized IT systems necessary for effective cybersecurity and stay current with the latest cybersecurity threats and best practices. That's why more organizations are turning to managed healthcare IT services — like those provided by Medicus IT — to better protect their networks and data from malicious actors.

Don't let your healthcare organization become a statistic. Get in touch with us to learn how we can provide the smart, preventive strategies that will strengthen your cybersecurity posture and help keep cybercriminals at bay.

New call-to-action