2020 Was the Worst – in Healthcare Data Breaches
Data breaches can have catastrophic consequences on those who are unfortunate enough to suffer from one. From steep costs and/or fines (in the millions) to a ruined reputation, data breaches are not to be taken lightly. This is especially true for the healthcare industry, where sensitive patient data, or Protected Health Information (PHI), is the coveted prize cybercriminals are after.
Regarding data breaches within healthcare, 2020 was the worst year ever. At a rate of more than 1.76 incidents per day, 642 data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights. This is a 25 percent year-over-year increase compared to 2019, which was also a record-breaking year.
All in all, more than 10 million people were affected by healthcare data breaches in 2020 with more than 29 million Electronic Healthcare Records (EHRs) exposed, compromised, or impermissibly disclosed due to the breaches.
Related Reading: Top Data Breaches of 2020: How You Can Minimize Your Risks
The Cost of a Data Breach
According to the Ponemon Institute’s Cost of a Data Breach Report, for the year 2020, data breaches on average cost $3.86 million. As for healthcare specific, the data breaches in the field are the costliest to resolve.
According to the report, healthcare has the highest industry cost per average at $7.14 million globally and $8.6 million in the United States. This is a 10.5 percent increase year-over-year. However, healthcare has consistently had the highest cost every reported year.
The report also concluded that customer Personally Identifiable Information (PII) was the type of data most often lost or stolen in breaches and has the highest cost per record at $150. However, this jumps to $175 per record in cases where PII was breached in a malicious attack.
The Most Common Causes of Data Breaches
In healthcare, according to the Cost of a Data Breach Report, 50 percent of data breaches were due to malicious attacks. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks.
Additionally, 23 percent were due to system glitches and 27 percent were caused by human error.
Watch the Webinar: How to Prevent Data Breaches with GoAnywhere
2020’s Biggest Healthcare Data Breaches
The healthcare organizations that reported the largest of data breaches in 2020, with incidents involving more than 400,000 exposed EHRs, were:
(Note: The estimate of liability uses the $175 per record cost in cases of malicious attacks. This was identified by the Ponemon Institute’s 2020 Cost of a Data Breach Report).
1. Not-for-Profit Catholic Health System – 3,320,726 Individuals
At more than 3.3 million records, this not-for-profit Catholic health system was the worst affected healthcare victim of a ransomware attack on a U.S. based cloud computing provider when its self-hosted environment became infected with malware. The hackers gained access to the cloud provider’s systems from February to May 2020 before the intrusion was detected. This organization was one of the hundreds of clients affected by the large-scale cyberattack.
During the breach, the philanthropy database of this health system was exposed, which contained patient and donor information from 2000 to 2020. The PHI exposed included names, addresses, contact information, hospital locations, and insurance information. Some patients also had their financial information compromised in the incident.
Estimated liability: $581,127,050.
2. National Medical Group – 1,290,670 Individuals
This physician-led national medical group suffered a significant breach of its Office 365 environment in June 2020. This breach occurred after employees responded to phishing emails.
The breach was extensive. PHI potentially exposed included patient names, guarantor name, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, health insurance information, medical and/or treatment information, and billing and claims information.
Estimated liability: $225,867,250.
Related Reading: How a Data Security Breach Puts Your Organization at Risk
3. Nonprofit Health System – 1,045,270 Individuals
This nonprofit healthcare provider was also a victim of the February to May cloud computing data security incident.
The health system’s fundraising database containing patient and donor information was potentially compromised by the threat. Compromised data included names, contact details, dates of birth, provider names, dates of service, departments visited, and donation information including dates and amounts of donations.
Estimated liability: $182,922,250.
4. Managed Healthcare Company – 1,013,956 Individuals
This April 2020 ransomware attack started after hackers leveraged a social engineering phishing scheme impersonating a client, five days before the ransomware was deployed. During that time, the hackers exfiltrated sensitive data from the impacted server.
The result for this for-profit managed healthcare company was a mix of sensitive data being compromised. The potentially stolen data included employee credentials, passwords, and W-2 forms. As well as patient data, including health insurance account information and treatment details. Several of its affiliated entities were also affected by the breach.
Estimated liability: $177,442,300.
5. Dental Support Organization – 1,004,304 Individuals
This dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in late 2020.
Few official details have been released about the nature of the hacking incident, as the investigation is still ongoing. However, officials have determined that the affected data by the breach could include patient names, contact details, dental diagnoses, treatment information, patient account numbers, billing details, dentists’ names, bank account numbers, and health insurance data.
According to the proposed class action lawsuit, there is a possibility that this breach may have been due to the organization’s failure to take the necessary steps to protect the information sufficiently with adequate cybersecurity procedures and protocols.
Estimated liability: $175,753,200.
Related Reading: New Tech and New Hacks: How Are Cyber Risks Changing?
6. Operator of Vision Care Facilities – 829,454 Individuals
This operator of vision care facilities across the United States and owner of luxury eyewear brands, experienced a cyberattack in August 2020. The hack went on for four days before it was detected.
This cyberattack resulted in hackers gaining access to its web-based appointment scheduling system which contained a trove of patient PHI including full appointment notes related to treatment, health insurance policy numbers, health conditions, prescriptions, appointment dates and times, and other sensitive information.
The attacker may have also accessed and acquired third-party information from the app, while some patients also saw their Social Security numbers and credit card information breached.
Estimated liability: $145,154,450.
7. Integrated Healthcare System – 657,392 Individuals
This integrated healthcare system was also a victim of the February to May cloud computing data security incident.
The hackers potentially gained access to the health system’s fundraising database(s). The affected database(s) contained sensitive PII about donors, potential donors, individuals who may have attended fundraising events, and patients the healthcare system believed may want to donate in the future.
Estimated liability: $115,043,600.
8. Coordinated Care Organization – 654,362 Individuals
This coordinated care organization reported the theft of a laptop from its non-emergent medical transportation vendor in May 2020. The laptop was stolen in November 2019 and was not encrypted.
The stolen device contained patient names, contact details, dates of birth, Social Security numbers, and Medicaid ID numbers.
Estimated liability: $114,513,350.
Working with a Vendor? Keep Sensitive Data Secure: The Role MFT Plays in Vendor Management
9. Orthopedic Institute – 640,000 Individuals
In April 2020, this orthopedic institute discovered that a ransomware attack had malware encrypting data on its servers. The system was quickly secured, but after an investigation, it was determined that sensitive PII may have been accessed during the incident.
The impacted data varied by patient, but could have included a host of sensitive data such as Social Security numbers, dates of birth, claims addresses, insurance plan identification numbers, FOI claims histories, diagnosis codes, contact details, and physician locations – among other sensitive information.
Estimated liability: $112,000,000.
10. Emergency Medicine Physicians – 550,000 Individuals
Due to the improper disposal of patient records by a third-party storage vendor, the group of emergency physicians reported a breach in May 2020.
Other healthcare providers were affected, but this democratic emergency medicine group was hit the worst. The records included PHI from 2002 to 2010.
Estimated liability: $96,250,000.
Related Reading: I’ve Just Been Breached, Now What?
How GoAnywhere Can Help Healthcare Organizations Avoid a Data Breach
GoAnywhere Managed File Transfer (MFT) is a secure file transfer solution that works for healthcare organizations and business associates to safeguard sensitive electronic PHI (ePHI) and EHR data.
The software is easy to implement, requires no programming experience to use, and automates and audits the exchange of information with trading partners and internal systems. It encrypts data in motion and at rest to protect files from unauthorized use and potential data breaches.
Prevention is the best approach to keeping customer data from being exposed in a data breach. To avoid future incidents, it’s a good idea to take a thorough look at the cybersecurity practices that are currently being implemented throughout your organization.
If there are any gaps, strengthen your cybersecurity strategy by:
- Ensuring employees are educated on security concerns and email best practices
- Patching your systems and hardware frequently to avoid vulnerabilities
- Restricting access to only the individuals that need it
- Implementing strong encryption protocols to protect PHI
- Keeping detailed audit logs for all file transfer activity and workflow processes
- Following data retention laws and not keeping data any longer than needed
- Creating a data breach and incident response plan
Additional Ways to Protect Your Healthcare Organization: 8 Ways to Protect Your Healthcare Organization from a Data Breach
The Numbers to Back it Up
Implementing strong security practices, analytics, and incident response (IR) preparedness can have a huge impact on cost savings in the chance that a data breach does happen.
According to the Cost of a Data Breach Report:
- $3.58 million – This number expresses the savings in average comparing the total cost of a data breach in organizations with fully deployed security automation vs. those with no automation deployed.
- $2 million – This number expresses the savings in average comparing the total cost of a data breach in organizations with an incident response team that tested their IR plans vs. those with no incident response team or testing.
Start Developing Your Healthcare Data Breach Strategy
Data breaches occurring within the healthcare industry has become quite the epidemic – and one that isn’t likely to slow down any time soon.
Considering the cost to both organizations and patients involved, it’s critical that IT teams develop a solid strategy that utilizes the most effective tools when planning to prevent a data breach.
Discover how deploying strong security technologies to encrypt, monitor, and audit your data flow can keep your healthcare organization safe and secure with our guide, “Defending Against a Data Breach: Developing the Right Encryption Strategy.”