Top 4 Healthcare Data Breaches in 2016

NetgainCybersecurity & Compliance, Healthcare IT

You think your data is safe. Then you get the call every healthcare organization dreads and hear the words: There has been a security breach.

What would you do? Nearly 90 percent of healthcare lawyers think their healthcare clients are at a greater risk for cybersecurity attacks than other industries, according to a survey conducted by the American Health Lawyers Association.

In 2016 alone, there have been close to 300 breaches each affecting 500 or more individuals reported to the Office for Civil Rights (OCR). The types of breaches experienced by these organizations vary but the top four breaches of 2016 were all a result of a hacking or IT incident.

We look back at the top healthcare data breaches of the past year and share some preventive tips on how to reduce the risk of a breach occurring.

#1 Banner Health
The largest data breach incident reported in 2016 was from one of the largest nonprofit health care systems in the country, Banner Health. It affected 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers. The breach was discovered on July 7, 2016 but later discovered from the investigation that the attack was initiated on June 17, 2016. In this incident, cyber attackers gained unauthorized access to computer systems that process payment card data at some of their food and beverage outlets.

Shortly after on July 13, 2016, Banner Health learned that there may have been unauthorized access by the cyber attackers to patient information. The patient information may have included information on names, birthdates, addresses, and possible health insurance information and Social Security numbers.

Preventive tip: Perform security training for end users to help them identify suspicious activity that could lead to a breach.

#2 Newkirk Products
Newkirk Products Inc. provides healthcare ID cards for health insurance plans. On July 6, 2016, Newkirk Products discovered that a server containing member information of close to 3.3 million individuals was accessed without authorization. Newkirk Products immediately shut down the affected server.

The server that was accessed contained information on names, addresses, dates of birth, type of plan, member and group ID numbers, names of dependents enrolled in the plan, and primary care providers. Although the server was accessed, there is no evidence to date that the data has been used inappropriately. Newkirk responded by offering two years of free identity protection and restoration services to those impacted by the breach.

Preventive tip: Change passwords often, and use different passwords on every website.

#3 21st Century Oncology
In March 2016, 21st Century Oncology, a nationwide cancer care provider, announced having a possible data breach. The FBI stated that one of the databases was inappropriately accessed on October 3, 2015 affecting 2.2 million individuals. Patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information could all have been affected. Not knowing if the information has been misused, the provider offered the affected patients a free one-year credit protection service.

As a result of the data breach, sixteen class action cases were filed against 21st Century Oncology and a $35 million settlement for Medicare fraud that the provider was found guilty of. 21st Century Oncology announced that it will be taking additional steps to enhance internal security protocols to help prevent a similar incident in the future.

Preventive tip: Only give users access to websites that are needed to fulfil their responsibilities.

#4 Valley Anesthesiology
Valley Anesthesiology and Pain Consultants (VAPC) is one of the nation’s premier providers of anesthesia and pain management services located throughout Phoenix, Arizona. In June 2016, an unauthorized party may have accessed one of VAPC’s computer systems. VAPC announced that 882,590 patients may have had their information exposed. A hired computer forensics firm said the unauthorized access may have actually occurred on March 30, 2016. Patient names, providers’ names, dates of service, places of treatment, names’ of health insurers, insurance identification numbers, diagnosis and treatment codes, and Social Security numbers in a few cases were potentially exposed.

The company offered individuals who had their Social Security exposed a free one-year credit monitoring and identity theft protection services.

Preventive tip: Partner with companies that sign a Business Associate Agreement to increase the security of your patient data.

With 90 percent of healthcare organizations experiencing data breaches in the last 2 years, according to the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, it’s important to understand the severity. While there could have been various reasons on how the data was accessed in each of these cases, a couple common reasons include malware or poor password management. Taking precautions like using secure passwords and understanding how to protect your organization from malware are important steps to keeping your data secure.